CAPWAP Offloading (NP6 only)

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.

NP6 offloading over CAPWAP configuration

  1. NP6 session fast path requirements:

config system npu set capwap-offload enable end

  1. Enable the capwap-offload option in system npu

config firewall policy edit 1

set auto-asic-offload enable

next end

  1. NP6 offloading over CAPWAP traffic is supported:
    • only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
    • Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.

Verify the system session of NP6 offloading

  • check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8

FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1

l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f

total session 1


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos