Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

diagnose sys session list and no_ofld_reason field (NP7 session information)

The diagnose sys session list and diagnose sys session6 list commands list all of the current IPv4 or IPv6 sessions being processed by the FortiGate. For each session the command output includes an npu info line that displays NPx offloading information for the session. If a session is not offloaded, the command output includes a no_ofld_reason line that indicates why the session was not offloaded.

The no_ofld_reason field appears in the output of the diagnose sys session list or diagnose sys sessions6 list command to indicate why the session wasn't offloaded by an NP6 processor. The field appears for sessions that normally would be offloaded but for some reason can't currently be offloaded. The following table lists and explains some of the reasons that a session could not be offloaded. Note that more than one of these reasons can appear in the no_ofld_reason field for a single session.

no_ofld_reason

Description

dirty

Because of a configuration change to routing, firewall policies, interfaces, ARP tables, or other configuration, the session needs to be revalidated by FortiOS. Traffic may still be processed by the session, but it will not be offloaded until the session has been revalidated.

local The session is a local-in or local-out session that can't be offloaded. Examples include management sessions, SSL VPN sessions accessing an SSL VPN portal, explicit proxy sessions, and so on.
disabled-by-policy The firewall policy option auto-asic-offload is disabled in the firewall policy that accepted the session. This reason can also appear if one or more of the interfaces handling the session are software switch interfaces.
non-npu-intf The incoming or outgoing interface handling the sessions is not an NP6-accelerated interface or is part of a software switch. This reason may also appear if when the config system npu option fastpath is disabled.
npu-flag-off The session is not offloaded because of hardware or software limitations. For example, the session could be using EMAC VLAN interfaces or the session could be for a protocol or service for which offloading is not supported. For example, before NP6 processors supported offloading IPv6 tunnel sessions, npu-flag-off would appear in the no_ofld_reason field for IPv6 tunnel sessions.
redir-to-ips Normally this session is expected to be offloaded to the NP6 processor by the IPS, but for some reason the session cannot be offloaded. May be caused by a bug. The no_ofld_reason field may contain more information.

denied-by-nturbo

A session being processed by the IPS that could normally be offloaded is not supported by nTurbo. May be caused by a bug. Can be paired with redir-to-ips.

block-by-ips

A session being processed by the IPS that could normally be offloaded is blocked. May be caused by a bug. Can be paired with redir-to-ips.

redir-to-av

Flow-based antivirus is preventing offloading of this session.

sflow sFlow is enabled for one or both of the interfaces handling the session. sFlow periodic traffic sampling that can only be done by the CPU.
mac-host-check

Device identification has not yet identified the device communicating with the FortiGate using this session. Once the device has been identified the session may be offloaded.

offload-denied

Usually this reason appears if the session is being handled by a session helper and sessions handled by this session helper can't be offloaded.

not-established A TCP session is not in its established state (proto_state=01).

diagnose sys session list and no_ofld_reason field (NP7 session information)

The diagnose sys session list and diagnose sys session6 list commands list all of the current IPv4 or IPv6 sessions being processed by the FortiGate. For each session the command output includes an npu info line that displays NPx offloading information for the session. If a session is not offloaded, the command output includes a no_ofld_reason line that indicates why the session was not offloaded.

The no_ofld_reason field appears in the output of the diagnose sys session list or diagnose sys sessions6 list command to indicate why the session wasn't offloaded by an NP6 processor. The field appears for sessions that normally would be offloaded but for some reason can't currently be offloaded. The following table lists and explains some of the reasons that a session could not be offloaded. Note that more than one of these reasons can appear in the no_ofld_reason field for a single session.

no_ofld_reason

Description

dirty

Because of a configuration change to routing, firewall policies, interfaces, ARP tables, or other configuration, the session needs to be revalidated by FortiOS. Traffic may still be processed by the session, but it will not be offloaded until the session has been revalidated.

local The session is a local-in or local-out session that can't be offloaded. Examples include management sessions, SSL VPN sessions accessing an SSL VPN portal, explicit proxy sessions, and so on.
disabled-by-policy The firewall policy option auto-asic-offload is disabled in the firewall policy that accepted the session. This reason can also appear if one or more of the interfaces handling the session are software switch interfaces.
non-npu-intf The incoming or outgoing interface handling the sessions is not an NP6-accelerated interface or is part of a software switch. This reason may also appear if when the config system npu option fastpath is disabled.
npu-flag-off The session is not offloaded because of hardware or software limitations. For example, the session could be using EMAC VLAN interfaces or the session could be for a protocol or service for which offloading is not supported. For example, before NP6 processors supported offloading IPv6 tunnel sessions, npu-flag-off would appear in the no_ofld_reason field for IPv6 tunnel sessions.
redir-to-ips Normally this session is expected to be offloaded to the NP6 processor by the IPS, but for some reason the session cannot be offloaded. May be caused by a bug. The no_ofld_reason field may contain more information.

denied-by-nturbo

A session being processed by the IPS that could normally be offloaded is not supported by nTurbo. May be caused by a bug. Can be paired with redir-to-ips.

block-by-ips

A session being processed by the IPS that could normally be offloaded is blocked. May be caused by a bug. Can be paired with redir-to-ips.

redir-to-av

Flow-based antivirus is preventing offloading of this session.

sflow sFlow is enabled for one or both of the interfaces handling the session. sFlow periodic traffic sampling that can only be done by the CPU.
mac-host-check

Device identification has not yet identified the device communicating with the FortiGate using this session. Once the device has been identified the session may be offloaded.

offload-denied

Usually this reason appears if the session is being handled by a session helper and sessions handled by this session helper can't be offloaded.

not-established A TCP session is not in its established state (proto_state=01).