CAPWAP Offloading (NP6 only)
Simple Network Topology
NP6 offloading over CAPWAP traffic is supported by all the FortiGate high-level models and most middle-level models.
NP6 offloading over CAPWAP configuration
- NP6 session fast path requirements:
config system npu set capwap-offload enable end
- Enable the capwap-offload option in system npu
config firewall policy edit 1
set auto-asic-offload enable
next end
- NP6 offloading over CAPWAP traffic is supported:
- only with traffic from Tunnel mode VAP. l dtls-policy is clear-text or ipsec-vpn in wireless-controller wtp-profile configuration.
- Traffic is not offloaded when dtls-policy=dtls-enable l Traffic is not offloaded with fragment.
Verify the system session of NP6 offloading
- check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8
FG1K2D3I16800192 (vdom1) # diag sys session list
session info: proto=6 proto_state=01 duration=21 expire=3591 tim
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper= reply-shaper= per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=5 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=57->37/37->57
gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00
npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158
vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f total session 1
l check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8 FG1K2D3I16800192 (vdom1) # diag sys session list
session info: proto=6 proto_state=01 duration=7 expire=3592 time
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper= reply-shaper= per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/ state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tupl tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=57->37/37->57
gwy=172.16.200.44/10.65.1.2 hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(1 hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50 pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1 serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000c00
npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158
vlan=0x0000/0x0000 vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, f
total session 1