Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

ECMP Acceleration in NAT Mode

In 6.0, Equal-Cost Multi-Path (ECMP) traffic is not offloaded to the NP6 processor in NAT mode. This is now supported in 6.2.

Topology

Set up ECMP for both client and server on FortiGate. FortiGate uses ECMP through port1 (p1) and port2 (p2) to the client and ECMP through port 3 (p3) and port 4 (p4) to the server.

Example

This example demonstrates how the feature works.

Session one

This session demonstrates symmetric traffic with symmetric routing. No auxiliary session for the initial session.

Set the priority in the static route to prefer p1 to p3 and reply p3 to p1. Verify that the session can be established and offloaded to the NP6 processor and that session counters are correctly reflecting the status of the session.

session info: proto=17 proto_state=00 duration=27 expire=473 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=60/2/1 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

total session 1

Session two

Keep session one alive in the session table. Change the UDP session from client to server through p2, p3, unidirectional. Verify that a new auxiliary session can be established and offloaded to the NP6 processor and that session counters are correctly reflecting the status of session.

session info: proto=17 proto_state=00 duration=241 expire=495 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=126/4/1 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

reflect info 0:

dev=36->38/38->36

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0016/0x0000

vlifid=142/0, vtag_in=0x0016/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

total reflect session num: 1

total session 1

Reply traffic through p4

Keep sessions one and two alive. Send reply traffic from server to client in the sessions one and two through p4 to p1/p2. Verify that new auxiliary sessions can be established and offloaded to the NP6 processor and that session counters correctly reflect the status of session.

session info: proto=17 proto_state=01 duration=356 expire=497 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=126/4/1 reply=66/2/1 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)

npu_state_err=00/04

reflect info 0:

dev=36->39/39->36

npu_state=00000000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

reflect info 1:

dev=36->38/38->36

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0016/0x0000

vlifid=142/0, vtag_in=0x0016/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

total reflect session num: 2

total session 1

Reply traffic through p3

Send reply traffic from the server to the client in the same sessions through p3 to p1/p2. Verify that no auxiliary sessions are created, sessions can be offloaded to the NP6 processor, and session counters correctly reflect the status of session.

Offloading

The main session and the auxiliary session can be offloaded to the NP6 processor, if the policy allows offloading.

 

ECMP Acceleration in NAT Mode

In 6.0, Equal-Cost Multi-Path (ECMP) traffic is not offloaded to the NP6 processor in NAT mode. This is now supported in 6.2.

Topology

Set up ECMP for both client and server on FortiGate. FortiGate uses ECMP through port1 (p1) and port2 (p2) to the client and ECMP through port 3 (p3) and port 4 (p4) to the server.

Example

This example demonstrates how the feature works.

Session one

This session demonstrates symmetric traffic with symmetric routing. No auxiliary session for the initial session.

Set the priority in the static route to prefer p1 to p3 and reply p3 to p1. Verify that the session can be established and offloaded to the NP6 processor and that session counters are correctly reflecting the status of the session.

session info: proto=17 proto_state=00 duration=27 expire=473 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=60/2/1 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

total session 1

Session two

Keep session one alive in the session table. Change the UDP session from client to server through p2, p3, unidirectional. Verify that a new auxiliary session can be established and offloaded to the NP6 processor and that session counters are correctly reflecting the status of session.

session info: proto=17 proto_state=00 duration=241 expire=495 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=126/4/1 reply=0/0/0 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

reflect info 0:

dev=36->38/38->36

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0016/0x0000

vlifid=142/0, vtag_in=0x0016/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

total reflect session num: 1

total session 1

Reply traffic through p4

Keep sessions one and two alive. Send reply traffic from server to client in the sessions one and two through p4 to p1/p2. Verify that new auxiliary sessions can be established and offloaded to the NP6 processor and that session counters correctly reflect the status of session.

session info: proto=17 proto_state=01 duration=356 expire=497 timeout=500 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=6

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu route_preserve

statistic(bytes/packets/allow_err): org=126/4/1 reply=66/2/1 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=37->38/38->37 gwy=0.0.0.0/0.0.0.0

hook=pre dir=org act=noop 10.1.100.22:35101->172.16.204.44:5001(0.0.0.0:0)

hook=post dir=reply act=noop 172.16.204.44:5001->10.1.100.22:35101(0.0.0.0:0)

src_mac=90:6c:ac:19:19:58

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=2

serial=00001c8e tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id = 00000000

dd_type=0 dd_mode=0

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0017/0x0000

vlifid=142/0, vtag_in=0x0017/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

no_ofld_reason:

ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)

npu_state_err=00/04

reflect info 0:

dev=36->39/39->36

npu_state=00000000

npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000

vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0

reflect info 1:

dev=36->38/38->36

npu_state=0x000400

npu info: flag=0x91/0x00, offload=8/0, ips_offload=0/0, epid=129/0, ipid=142/0, vlan=0x0016/0x0000

vlifid=142/0, vtag_in=0x0016/0x0000 in_npu=1/0, out_npu=1/0, fwd_en=0/0, qid=7/0

total reflect session num: 2

total session 1

Reply traffic through p3

Send reply traffic from the server to the client in the same sessions through p3 to p1/p2. Verify that no auxiliary sessions are created, sessions can be offloaded to the NP6 processor, and session counters correctly reflect the status of session.

Offloading

The main session and the auxiliary session can be offloaded to the NP6 processor, if the policy allows offloading.