NP6 processors use multiple IPsec engines to accelerate IPsec encryption and decryption. In some cases out of order ESP packets can cause problems if multiple IPsec engines are running. To resolve this problem you can configure all of the NP6 processors to use fewer IPsec engines.
Use the following command to change the number of IPsec engines used for decryption (
ipsec-dec-subengine-mask) and encryption (
ipsec-enc-subengine-mask). These settings are applied to all of the NP6 processors in the FortiGate unit.
config system npu
set ipsec-dec-subengine-mask <engine-mask>
set ipsec-enc-subengine-mask <engine-mask>
<engine-mask> is a hexadecimal number in the range 0x01 to 0xff where each bit represents one IPsec engine. The default
<engine-mask> for both options is 0xff which means all IPsec engines are used. Add a lower
<engine-mask> to use fewer engines. You can configure different engine masks for encryption and decryption.