CAPWAP Offloading (NP6 only)

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.

NP6 offloading over CAPWAP configuration

  1. NP6 session fast path requirements:

config system npu set capwap-offload enable end

  1. Enable the capwap-offload option in system npu

config firewall policy edit 1

set auto-asic-offload enable

next end

  1. NP6 offloading over CAPWAP traffic is supported:
    • only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
    • Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.

Verify the system session of NP6 offloading

  • check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8

FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=21 expire=3591 tim

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1

l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list

session info: proto=6 proto_state=01 duration=7 expire=3592 time

flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5

origin-shaper= reply-shaper= per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00

statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=57->37/37->57

gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00

npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158

vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f

total session 1


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.