Preventing packet ordering problems
In some cases when FortiGate units withNP6, NP6XLite, or NP6Lite processors are under heavy load, the packets used in the TCP 3-way handshake of some sessions may be transmitted by the FortiGate in the wrong order resulting in the TCP sessions failing.
If you notice TCP sessions failing when a FortiGate with NP6, NP6XLite, or NP6Lite processors is very busy you can enable delay-tcp-npu-session
in the firewall policy receiving the traffic. This option resolves the problem by delaying the session to make sure that there is time for all of the handshake packets to reach the destination before the session begins transmitting data.
config firewall policy
set delay-tcp-npu-session enable
end