In some situations, when clear text or ESP packets in IPsec sessions may have large amounts of layer 2 padding, the NP6 IPsec engine may not be able to process them and the session may be blocked.
If you notice dropped IPsec sessions, you could try using the following CLI options to cause the NP6 processor to strip clear text padding and ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.
Use the following command to strip ESP padding:
config system npu
set strip-esp-padding enable
set strip-clear-text-padding enable
Stripping clear text and ESP padding are both disabled by default.