This article describes that SCTP packets can not pass through the FortiGate and can not see SCTP packets with proto 132 in packet sniffer from CLI commands.
After investigating the issue, it is the issue with SCTP packets. SCTP packets with proto 132 reach interfaces in front of FortiGate and reach interfaces behind FortiGate. But SCTP traffic can not pass through the FortiGate. SCTP packets also do not show up in the packet sniffer of FortiGate.
Scope
FortiGate v7.2.x
Solution
Run CLI commands as below to check:
FGT # diag npu np7 dce-drop-all all
If it has a VDOM setting, run the CLI commands as below:
FGT # config global FGT (global) # diag npu np7 dce-drop-all all
Step 1: Run fist time:
FGT (global) # diag npu np7 dce-drop-all all <EIF drop counters> [NP7_0] Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total ------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------ [1]l3l4_parse 60922 60392 61016 61006 0 0 0 0 243336 [27]tcp_csum 67936 68243 68362 68067 68996 68411 68688 69229 547932 [29]tcp_synoptpar 2539 2550 2526 2656 2461 2545 2472 2592 20341 [32]udp_csum 33122 32979 32965 32703 220323 219886 220365 219777 1012120 [33]ulite_csum 0 0 0 0 0 0 0 1 1 [35]udp_plen 4196 4171 4093 4274 6992 6717 6820 6765 44028 [38]icmp_csum 31120 31037 30927 30968 30110 29483 29931 29505 243081 [42]sctp_crc 32098595 32110181 32105646 32104078 29560797 29550075 29555965 29560972 246646309 [48]vxlan_minlen 187 172 189 168 134 164 169 150 1333 [51]tcp_hlenvsl4l2n 1264 1284 1202 1262 1178 1235 1187 1224 9836 ------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------ Total_drop : 248768317 <HTX drop counters> [NP7_0] Counter HTX_0 HTX_1 HTX_2 HTX_3 Total ------------------------- ---------- ---------- ---------- ---------- ------------ [31]udp_ulite_minlen 0 0 0 1 1 ------------------------- ---------- ---------- ---------- ---------- ------------ Total_drop : 1 <DFR drop counters> [NP7_0] Counter DFR ------------------------- ---------- None ------------------------- ---------- Total_drop : 0 <IPTI drop counters> [NP7_0] Counter IPTI_0 IPTI_1 IPTI_2 IPTI_3 Total ------------------------- ---------- ---------- ---------- ---------- ------------ None ------------------------- ---------- ---------- ---------- ---------- ------------ Total_drop : 0 <L2TI drop counters> [NP7_0] Counter L2TI_0 L2TI_1 L2TI_2 L2TI_3 Total ------------------------- ---------- ---------- ---------- ---------- ------------ None ------------------------- ---------- ---------- ---------- ---------- ------------ Total_drop : 0 <XHP drop counters> [NP7_0] Counter XHP_0 XHP_1 XHP_2 XHP_3 Total ------------------------- ---------- ---------- ---------- ---------- ------------ None ------------------------- ---------- ---------- ---------- ---------- ------------ Total_drop : 0 <L2P drop counters> [NP7_0] Module SSE_TPE EGR_FLOW IGR_FLOW TPE MAC_FILTER ETH_ACT TGT_ACT SRC_ACT Total --------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------- eif_0 0 0 0 0 4232895 0 0 0 4232895 eif_1 0 0 0 0 5653901 0 0 1 5653902 sse_0 0 0 0 0 0 0 0 13683 13683 sse_1 0 0 0 0 0 0 0 7262 7262 sse_2 0 0 0 0 0 0 0 3095 3095 sse_3 0 0 0 0 0 0 0 4016 4016 --------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------- Total_drop : 9914853 <HIF drop counters> [NP7_0] Qid DSWH_DTS HRX_NOBD HTX2DSWH HTL2DSWH --- ---------- ---------- ---------- ---------- None --- ---------- ---------- ---------- ---------- Total_drop : 0 <IPSec drop counters> [NP7_0] Counter Value ----------------- ---------- None ----------------- ---------- Total_drop(enc/dec): 0/0 <SSE drop counters> [NP7_0] Counter Value --------------- ---------- None --------------- ---------- Total_drop 0 --------------- ---------- <DSW drop counters> [NP7_0] SRC_mod -> DST_mod Drop ---------- ---------- ---------- None ---------- ---------- ---------- Total_drop : 0 FGT (global) #
Step 2: Wait and run the second time.
FGT # diag npu np7 dce-drop-all all <EIF drop counters> [NP7_0] Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total ------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------ [1]l3l4_parse 60922 60392 61016 61006 0 0 0 0 243336 [27]tcp_csum 67936 68243 68362 68067 68996 68411 68688 69229 547932 [29]tcp_synoptpar 2539 2550 2526 2656 2461 2545 2472 2592 20341 [32]udp_csum 33122 32979 32965 32703 220323 219886 220365 219777 1012120 [33]ulite_csum 0 0 0 0 0 0 0 1 1 [35]udp_plen 4196 4171 4093 4274 6993 6717 6820 6765 44029 [38]icmp_csum 31120 31037 30927 30968 30110 29483 29931 29505 243081 [42]sctp_crc 32098595 32110181 32105647 32104079 29560798 29550075 29555970 29560974 246646319 [48]vxlan_minlen 187 172 189 168 134 164 169 150 1333 [51]tcp_hlenvsl4l2n 1264 1284 1202 1262 1178 1235 1187 1224 9836 ------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------ Total_drop : 248768328
Step 3: Focus on ‘sctp_crc’ with ‘Total’:
- The first time, it shows 246646309.
- The second time, it shows 246646319.
It shows that ‘sctp_crc’ increases.
To fix:
Step 1: Can temporarily fix for a workaround by running the CLI commands below to the CLI commands of FortiGate.
dia npu np7 setreg 0 eif.eif_0.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_1.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_2.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_3.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_4.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_5.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_6.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 eif.eif_7.ihp.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 htx_thd.htx_thd_0.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 htx_thd.htx_thd_1.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 htx_thd.htx_thd_2.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0 dia npu np7 setreg 0 htx_thd.htx_thd_3.ihp_wrap.ihp_chk.l4chk_ena.sctp_crc_err_ena.write 0
Step 2: This can permanently fixed by upgrading the firmware version to be FortiGate v7.2.8 build 1639 following the upgrade path properly and correcting the setting as below via CLI commands of the FortiGate:
config system npu config fp-anomaly set sctp-csum-err allow end end
- SCTP packets with proto 132 should be able to pass through the FortiGate after that.
- SCTP packets should show up in the packet sniffer of the FortiGate after that.