Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

np6-ipsec-engine

Use this command to configure NP6 IPsec engine status monitoring. NP6 IPsec engine status monitoring writes a system event log message if the IPsec engines in an NP6 processor become locked after receiving malformed packets.

If an IPsec engine becomes locked, that particular engine can no longer process IPsec traffic, reducing the capacity of the NP6 processor. The only way to recover from a locked IPsec engine is to restart the FortiGate device. If you notice an IPsec performance reduction over time on your NP6 accelerated FortiGate device, you could enable NP6 IPsec engine monitoring and check log messages to determine if your NP6 IPsec engines are becoming locked.

History

This command is new as of FortiOS 6.0.3.

config monitoring np6-ipsec-engine
    set status {enable | disable}   Enable/disable NP6 IPsec engine status monitoring.
    set interval {integer}   IPsec engine status check interval (1 - 60 seconds, default = 1). range[1-60]
    set threshold {string}   IPsec engine status check threshold (x x x x x x x x, 8 integers from <1> to <255>, default = 15 15 12 12 8 8 5 5). Example: Log is generated if IPsec engine 0 is busy each of every 15 consecutive interval checks.
end

Additional information

The following section is for those options that require additional explanation.

status {disable | enable}

Enable or disable (default = disable) NP6 IPsec engine status monitoring.

interval

Set the IPsec engine status check time interval in seconds (range 1 to 60 seconds, default = 1).

threshold <engine-1-threshold> <engine-2-threshold>...<engine-8-threshold>

Set engine status check thresholds. An NP6 processor has eight IPsec engines and you can set a threshold for each engine. NP6 IPsec engine status monitoring regularly checks the status of all eight engines in all NP6 processors in the FortiGate device.

Each threshold can be an integer between 1 and 255 and represents the number of times the NP6 IPsec engine status check detects that the NP6 processor is busy before generating a log message.

The default thresholds are 15 15 12 12 8 8 5 5. Any IPsec engine exceeding its threshold triggers the event log message. The default interval and thresholds have been set to work for most network topologies based on a balance of timely reporting a lock-up and accuracy and on how NP6 processors distribute sessions to their IPsec engines. The default settings mean:

  • If engine 1 or 2 are busy for 15 checks (15 seconds) trigger an event log message.
  • If engine 3 or 4 are busy for 12 checks (15 seconds) trigger an event log message.
  • And so on.

NP6 IPsec engine monitoring writes three levels of log messages:

  • Information if an IPsec engine is found to be busy.
  • Warning if an IPsec engine exceeds a threshold.
  • Critical if a lockup is detected, meaning an IPsec engine continues to exceed its threshold.

The log messages include the NP6 processor and engine affected.

Example:

config monitoring np6-ipsec-engine

set status enable

set interval 5

set threshold 10 10 8 8 6 6 4 4

end

np6-ipsec-engine

Use this command to configure NP6 IPsec engine status monitoring. NP6 IPsec engine status monitoring writes a system event log message if the IPsec engines in an NP6 processor become locked after receiving malformed packets.

If an IPsec engine becomes locked, that particular engine can no longer process IPsec traffic, reducing the capacity of the NP6 processor. The only way to recover from a locked IPsec engine is to restart the FortiGate device. If you notice an IPsec performance reduction over time on your NP6 accelerated FortiGate device, you could enable NP6 IPsec engine monitoring and check log messages to determine if your NP6 IPsec engines are becoming locked.

History

This command is new as of FortiOS 6.0.3.

config monitoring np6-ipsec-engine
    set status {enable | disable}   Enable/disable NP6 IPsec engine status monitoring.
    set interval {integer}   IPsec engine status check interval (1 - 60 seconds, default = 1). range[1-60]
    set threshold {string}   IPsec engine status check threshold (x x x x x x x x, 8 integers from <1> to <255>, default = 15 15 12 12 8 8 5 5). Example: Log is generated if IPsec engine 0 is busy each of every 15 consecutive interval checks.
end

Additional information

The following section is for those options that require additional explanation.

status {disable | enable}

Enable or disable (default = disable) NP6 IPsec engine status monitoring.

interval

Set the IPsec engine status check time interval in seconds (range 1 to 60 seconds, default = 1).

threshold <engine-1-threshold> <engine-2-threshold>...<engine-8-threshold>

Set engine status check thresholds. An NP6 processor has eight IPsec engines and you can set a threshold for each engine. NP6 IPsec engine status monitoring regularly checks the status of all eight engines in all NP6 processors in the FortiGate device.

Each threshold can be an integer between 1 and 255 and represents the number of times the NP6 IPsec engine status check detects that the NP6 processor is busy before generating a log message.

The default thresholds are 15 15 12 12 8 8 5 5. Any IPsec engine exceeding its threshold triggers the event log message. The default interval and thresholds have been set to work for most network topologies based on a balance of timely reporting a lock-up and accuracy and on how NP6 processors distribute sessions to their IPsec engines. The default settings mean:

  • If engine 1 or 2 are busy for 15 checks (15 seconds) trigger an event log message.
  • If engine 3 or 4 are busy for 12 checks (15 seconds) trigger an event log message.
  • And so on.

NP6 IPsec engine monitoring writes three levels of log messages:

  • Information if an IPsec engine is found to be busy.
  • Warning if an IPsec engine exceeds a threshold.
  • Critical if a lockup is detected, meaning an IPsec engine continues to exceed its threshold.

The log messages include the NP6 processor and engine affected.

Example:

config monitoring np6-ipsec-engine

set status enable

set interval 5

set threshold 10 10 8 8 6 6 4 4

end