Fortinet white logo
Fortinet white logo

Administration Guide

Diagnosing SSL Card issues

Diagnosing SSL Card issues

Collect below information for further analysis:

  1. Diagnose commands for hardware SSL card:

    FortiWeb# diagnose hardware check sslcard

    Ssl card intel check Pass #intel card

    FortiWeb # diagnose hardware check sslcard

    Ssl card cp9 check Pass #cp9 card

    ##After v5.85, ssl card status can be shown with:

    FortiWeb# diagnose debug sslhardwarestatus show

    proxyd using cp9 engine #cp9 card works

    Or

    FortiWeb# diagnose debug sslhardwarestatus show

    proxyd not using engine #cp9 card does not work well

    FortiWeb # diagnose hardware cavium3 status

    Or

    FortiWeb # diagnose hardware cp9 status

    Tue Jan 18 22:07:53 2022

    kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    vpn[0]:{0:0:0:0:}

    vpn[1]:{0:0:0:0:}

    ##Below commands are available but might be removed soon

    FortiWeb # diagnose hardware cp9 test 1

    cp_uio: Detect KXP device[0]

    cp_uio: Detect KXP device[1]

    cp_uio: Detect VPN device[0]

    cp_uio: Detect VPN device[1]

    Testing kxpvpn memory...

    num 1 alloc 1 done

    Done

    Testing RNG interface(bytes: 4080)...

    Done

    Testing BN_mod_exp interface...

    Testing BN_mod_exp mod 1K

    Done

    Testing BN_mod_exp mod 2K

    Done

    Testing BN_mod_exp mod 3K

    Done

    Testing BN_mod_exp mod 4K

    1.0 ops/s 0.0 MB/s

    Done

    Done

    Testing RSA_mod_exp interface...

    Testing RSA_mod_exp mod 1k

    Done

    Testing RSA_mod_exp mod 2k

    Done

    Testing RSA_mod_exp mod 3k

    Done

    Testing RSA_mod_exp mod 4k

    Done

    Done

    Testing ssl3_generate_master_secret...

    Done

    Testing ssl3_setup_key_block...

    1.0 ops/s 0.0 MB/s

    Done

    Testing tls_generate_master_secret...

    Done

    Testing tls_setup_key_block...

    Done

    Testing ECSKEY(NID:415, prime256v1)...

    Done

    Testing ECSKEY(NID:715, secp384r1)...

    Done

    Testing ECSKEY(NID:716, secp521r1)...

    1.0 ops/s 0.0 MB/s

    Done

    Testing ECSIGN(NID:415, prime256v1)...

    Testing ECSIGN(NID:715, secp384r1)...

    Testing ECSIGN(NID:716, secp521r1)...

    Testing ECVERIFY(NID:415, prime256v1)...

    Testing ECVERIFY(NID:715, secp384r1)...

    1.0 ops/s 0.0 MB/s

    Testing ECVERIFY(NID:716, secp521r1)...

    Testing AES interface...

    Done

    Testing DES interface...

    Done

    Testing 3DES interface...

    Done

    >>>> System Memory <<<<

    block[128]: 2048/2048

    block[256]: 2048/2048

    block[512]: 2048/2048

    block[1024]: 10240/10240

    block[2048]: 10240/10240

    block[4096]: 10240/10240

    block[8192]: 8192/8192

    block[16384]: 2048/2048

    block[32768]: 2048/2048

    Size: 237312 Mbytes

    >>>> Status <<<<

    kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    vpn[0]:{0:0:0:0:}

    vpn[1]:{0:0:0:0:}

    RNG 1 0 0

    SSL3_GENMS 1 0 0

    SSL3_GENKM 1 0 0

    TLS_GENMS 1 0 0

    TLS_GENKM 1 0 0

    PKCE_1024 1 0 0

    PKCE_2048 1 0 0

    PKCE_4096 2 0 0

    CRT_PARAM_1024 1 0 0

    CRT_PARAM_2048 1 0 0

    CRT_PARAM_4096 2 0 0

    CRT_1024 1 0 0

    CRT_2048 1 0 0

    CRT_4096 2 0 0

    EC_SIGN 3 0 0

    EC_VERIFY 3 0 0

    ECSKEY 3 0 0

    NID_aes_128_sha1 1 0 0

    NID_des_ede3_cbc 1 0 0

    NID_des_cbc 1 0 0

  2. If you doubt that the hardware SSL card has some problem, you can disable it and try if the software SSL works well with below command:

    ##Enable high-compatibility-mode will turn off hardware SSL card

    FortiWeb# dia de sslhardwarestatus show

    proxyd using intel engine

    FortiWeb # config server-policy setting

    FortiWeb (setting) # set high-compatibility-mode enable

    FortiWeb (setting) # end

    high compatibility mode:This operation will restart proxyd and clear the current connection!

    Do you want to continue? (y/n)y

    FortiWeb # show server-policy setting

    config server-policy setting

    set high-compatibility-mode enable

    end

    FortiWeb # diagnose debug sslhardwarestatus show

    proxyd not using engine

  3. Check more detailed infomation in dmesg or /var/log/dmesg/kern.log:

    [ 50.617068] Loading QAT CONTIG MEM Module ...

    [ 50.893620] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

    [ 51.508620] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

    [ 51.859112] igb 0000:02:00.0 mgmt1: igb: mgmt1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

    [ 51.862020] QAT: Stopping all acceleration devices.

    [ 51.862029] c6xx 0000:1a:00.0: qat_dev0 stopped 8 acceleration engines

    [ 51.862324] c6xx 0000:1a:00.0: Resetting device qat_dev0

    [ 51.862325] c6xx 0000:1a:00.0: Function level reset

    [ 51.965722] c6xx 0000:1b:00.0: qat_dev1 stopped 8 acceleration engines

    [ 51.965811] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt1: link becomes ready

    [ 51.966034] c6xx 0000:1b:00.0: Resetting device qat_dev1

    [ 51.966034] c6xx 0000:1b:00.0: Function level reset

    [ 53.071493] c6xx 0000:1a:00.0: Starting acceleration device qat_dev0.

    [ 53.334619] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

    [ 53.688343] c6xx 0000:1b:00.0: Starting acceleration device qat_dev1.

    [ 53.951619] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

Diagnosing SSL Card issues

Diagnosing SSL Card issues

Collect below information for further analysis:

  1. Diagnose commands for hardware SSL card:

    FortiWeb# diagnose hardware check sslcard

    Ssl card intel check Pass #intel card

    FortiWeb # diagnose hardware check sslcard

    Ssl card cp9 check Pass #cp9 card

    ##After v5.85, ssl card status can be shown with:

    FortiWeb# diagnose debug sslhardwarestatus show

    proxyd using cp9 engine #cp9 card works

    Or

    FortiWeb# diagnose debug sslhardwarestatus show

    proxyd not using engine #cp9 card does not work well

    FortiWeb # diagnose hardware cavium3 status

    Or

    FortiWeb # diagnose hardware cp9 status

    Tue Jan 18 22:07:53 2022

    kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    vpn[0]:{0:0:0:0:}

    vpn[1]:{0:0:0:0:}

    ##Below commands are available but might be removed soon

    FortiWeb # diagnose hardware cp9 test 1

    cp_uio: Detect KXP device[0]

    cp_uio: Detect KXP device[1]

    cp_uio: Detect VPN device[0]

    cp_uio: Detect VPN device[1]

    Testing kxpvpn memory...

    num 1 alloc 1 done

    Done

    Testing RNG interface(bytes: 4080)...

    Done

    Testing BN_mod_exp interface...

    Testing BN_mod_exp mod 1K

    Done

    Testing BN_mod_exp mod 2K

    Done

    Testing BN_mod_exp mod 3K

    Done

    Testing BN_mod_exp mod 4K

    1.0 ops/s 0.0 MB/s

    Done

    Done

    Testing RSA_mod_exp interface...

    Testing RSA_mod_exp mod 1k

    Done

    Testing RSA_mod_exp mod 2k

    Done

    Testing RSA_mod_exp mod 3k

    Done

    Testing RSA_mod_exp mod 4k

    Done

    Done

    Testing ssl3_generate_master_secret...

    Done

    Testing ssl3_setup_key_block...

    1.0 ops/s 0.0 MB/s

    Done

    Testing tls_generate_master_secret...

    Done

    Testing tls_setup_key_block...

    Done

    Testing ECSKEY(NID:415, prime256v1)...

    Done

    Testing ECSKEY(NID:715, secp384r1)...

    Done

    Testing ECSKEY(NID:716, secp521r1)...

    1.0 ops/s 0.0 MB/s

    Done

    Testing ECSIGN(NID:415, prime256v1)...

    Testing ECSIGN(NID:715, secp384r1)...

    Testing ECSIGN(NID:716, secp521r1)...

    Testing ECVERIFY(NID:415, prime256v1)...

    Testing ECVERIFY(NID:715, secp384r1)...

    1.0 ops/s 0.0 MB/s

    Testing ECVERIFY(NID:716, secp521r1)...

    Testing AES interface...

    Done

    Testing DES interface...

    Done

    Testing 3DES interface...

    Done

    >>>> System Memory <<<<

    block[128]: 2048/2048

    block[256]: 2048/2048

    block[512]: 2048/2048

    block[1024]: 10240/10240

    block[2048]: 10240/10240

    block[4096]: 10240/10240

    block[8192]: 8192/8192

    block[16384]: 2048/2048

    block[32768]: 2048/2048

    Size: 237312 Mbytes

    >>>> Status <<<<

    kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

    vpn[0]:{0:0:0:0:}

    vpn[1]:{0:0:0:0:}

    RNG 1 0 0

    SSL3_GENMS 1 0 0

    SSL3_GENKM 1 0 0

    TLS_GENMS 1 0 0

    TLS_GENKM 1 0 0

    PKCE_1024 1 0 0

    PKCE_2048 1 0 0

    PKCE_4096 2 0 0

    CRT_PARAM_1024 1 0 0

    CRT_PARAM_2048 1 0 0

    CRT_PARAM_4096 2 0 0

    CRT_1024 1 0 0

    CRT_2048 1 0 0

    CRT_4096 2 0 0

    EC_SIGN 3 0 0

    EC_VERIFY 3 0 0

    ECSKEY 3 0 0

    NID_aes_128_sha1 1 0 0

    NID_des_ede3_cbc 1 0 0

    NID_des_cbc 1 0 0

  2. If you doubt that the hardware SSL card has some problem, you can disable it and try if the software SSL works well with below command:

    ##Enable high-compatibility-mode will turn off hardware SSL card

    FortiWeb# dia de sslhardwarestatus show

    proxyd using intel engine

    FortiWeb # config server-policy setting

    FortiWeb (setting) # set high-compatibility-mode enable

    FortiWeb (setting) # end

    high compatibility mode:This operation will restart proxyd and clear the current connection!

    Do you want to continue? (y/n)y

    FortiWeb # show server-policy setting

    config server-policy setting

    set high-compatibility-mode enable

    end

    FortiWeb # diagnose debug sslhardwarestatus show

    proxyd not using engine

  3. Check more detailed infomation in dmesg or /var/log/dmesg/kern.log:

    [ 50.617068] Loading QAT CONTIG MEM Module ...

    [ 50.893620] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

    [ 51.508620] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

    [ 51.859112] igb 0000:02:00.0 mgmt1: igb: mgmt1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

    [ 51.862020] QAT: Stopping all acceleration devices.

    [ 51.862029] c6xx 0000:1a:00.0: qat_dev0 stopped 8 acceleration engines

    [ 51.862324] c6xx 0000:1a:00.0: Resetting device qat_dev0

    [ 51.862325] c6xx 0000:1a:00.0: Function level reset

    [ 51.965722] c6xx 0000:1b:00.0: qat_dev1 stopped 8 acceleration engines

    [ 51.965811] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt1: link becomes ready

    [ 51.966034] c6xx 0000:1b:00.0: Resetting device qat_dev1

    [ 51.966034] c6xx 0000:1b:00.0: Function level reset

    [ 53.071493] c6xx 0000:1a:00.0: Starting acceleration device qat_dev0.

    [ 53.334619] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

    [ 53.688343] c6xx 0000:1b:00.0: Starting acceleration device qat_dev1.

    [ 53.951619] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines