Refer to the exhibit, which shows a partial troubleshooting command output. You are using IPsec on FortiGate extensively. Many tunnels are showing information that is similar to the output shown in the exhibit. Which statement about your IPsec use is correct? (Choose one answer)

A. The two IPsec security associations (SA), inbound and outbound, are copied to the network processing unit (NPU).
B. IPsec SAs cannot be offloaded.
C. Only the outbound IPsec SA is copied to the NPU.
D. Only the inbound IPsec SA is copied to the NPU.

Correct Answer: B

Brave-Dump Clients Votes

B 100%

Comments

Fatma Salih 2025-11-26 23:34:55

Selected Answers: B

npu_flag=20 = Unsupported cipher

Hasan Ahmed 2025-11-27 17:54:37

Selected Answers: B

Correct answer is B

'npu_flag=20'. IPsec SA cannot be offloaded to NPU because either the cipher or the HMAC is not supported by NPU.

Shabeeb Kunhipocker 2025-11-27 22:10:11

Selected Answers: B

Admin Guide, Page 300

Podb 2025-12-14 03:17:15

Selected Answers: B

correct B,
npu_flag=20 = Unsupported cipher

Adam 2026-01-19 13:17:29

Selected Answers: B

npu_flag= 00 -> Both IPsec SAs loaded to the kernel
npu_flag= 01 -> Outbound IPsec SA copied to NPU
npu_flag= 02 -> Inbound IPsec SA copied to NPU
npu_flag= 03 -> Both outbound and inbound IPsec SA copied to NPU
npu_flag= 20 -> Unsupported cipher or HMAC, IPsec SA cannot be offloaded