Supporting IPsec anti-replay protection
Because of how NP6 processors cache inbound IPsec SAs, IPsec VPN sessions with anti-reply protection that are terminated by the FortiGate may fail the replay check and be dropped.
You can use the following command to disable caching of inbound IPsec VPN SAs, allowing IPsec VPN sessions with anti-reply protection that are terminated by the FortiGate to work normally:
config system npu
set ipsec-inbound-cache disable
end
With caching enabled (the default), a single NP6 processor can run multiple IPsec engines to process IPsec VPN sessions terminated by the FortiGate. Disabling ipsec-inbound-cache
reduces performance of IPsec VPN sessions terminated by the FortiGate, because without caching an NP6 processor can only run one IPsec engine.
You must manually restart your FortiGate after disabling or enabling ipsec-inbound-cache
.
If your FortiGate contains multiple NP6 processors, you can improve performance while supporting anti-replay protection by creating a LAG of interfaces connected to multiple NP6 processors. This allows distribution of IPsec anti-replay traffic from one traffic stream to more than one NP6 processor; resulting in multiple IPsec engines being available. See Increasing NP6 offloading capacity using link aggregation groups (LAGs).
Disabling ipsec-inbound-cache
does not affect performance of other traffic terminated by the FortiGate and does not affect performance of traffic passing through the FortiGate.
NP6XLite and NP6Lite processors do not have this caching limitation. IP Sec VPN sessions with anti-replay protection that are passing through the FortiGate are not affected by this limitation. |