Diagnosing SSL Card issues

Collect below information for further analysis:

1. Diagnose commands for hardware SSL card:

   FortiWeb# diagnose hardware check sslcard

       Ssl card intel check    Pass        #intel card

   FortiWeb # diagnose hardware check sslcard

       Ssl card cp9 check    Pass        #cp9 card

    

   ##After v5.85, ssl card status can be shown with:

   FortiWeb# diagnose debug sslhardwarestatus show

   proxyd using cp9 engine            #cp9 card works

   Or

   FortiWeb# diagnose debug sslhardwarestatus show

   proxyd not using engine            #cp9 card does not work well

    

   FortiWeb # diagnose hardware cavium3 status

   Or

   FortiWeb # diagnose hardware cp9 status

   Tue Jan 18 22:07:53 2022

   kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

   kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

   vpn[0]:{0:0:0:0:}

   vpn[1]:{0:0:0:0:}

    

   ##Below commands are available but might be removed soon

   FortiWeb # diagnose hardware cp9 test 1

   cp_uio: Detect KXP device[0]

   cp_uio: Detect KXP device[1]

   cp_uio: Detect VPN device[0]

   cp_uio: Detect VPN device[1]

   Testing kxpvpn memory...

         num 1                 alloc 1 done

   Done

   Testing RNG interface(bytes: 4080)...

   Done

   Testing BN_mod_exp interface...

     Testing BN_mod_exp mod 1K

     Done

     Testing BN_mod_exp mod 2K

     Done

     Testing BN_mod_exp mod 3K

     Done

     Testing BN_mod_exp mod 4K

              1.0 ops/s   0.0 MB/s

     Done

   Done

   Testing RSA_mod_exp interface...

     Testing RSA_mod_exp mod 1k

     Done

     Testing RSA_mod_exp mod 2k

     Done

     Testing RSA_mod_exp mod 3k

     Done

     Testing RSA_mod_exp mod 4k

     Done

   Done

   Testing ssl3_generate_master_secret...

   Done

   Testing ssl3_setup_key_block...

              1.0 ops/s   0.0 MB/s

   Done

   Testing tls_generate_master_secret...

   Done

   Testing tls_setup_key_block...

   Done

   Testing ECSKEY(NID:415, prime256v1)...

   Done

   Testing ECSKEY(NID:715, secp384r1)...

   Done

   Testing ECSKEY(NID:716, secp521r1)...

              1.0 ops/s   0.0 MB/s

   Done

   Testing ECSIGN(NID:415, prime256v1)...

   Testing ECSIGN(NID:715, secp384r1)...

   Testing ECSIGN(NID:716, secp521r1)...

   Testing ECVERIFY(NID:415, prime256v1)...

   Testing ECVERIFY(NID:715, secp384r1)...

              1.0 ops/s   0.0 MB/s

   Testing ECVERIFY(NID:716, secp521r1)...

   Testing AES interface...

   Done

   Testing DES interface...

   Done

   Testing 3DES interface...

   Done

    

   >>>> System Memory <<<<

   block[128]:    2048/2048

   block[256]:    2048/2048

   block[512]:    2048/2048

   block[1024]:    10240/10240

   block[2048]:    10240/10240

   block[4096]:    10240/10240

   block[8192]:    8192/8192

   block[16384]:    2048/2048

   block[32768]:    2048/2048

   Size:        237312 Mbytes

    

   >>>> Status <<<<

   kxp[0]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

   kxp[1]:{0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:}

   vpn[0]:{0:0:0:0:}

   vpn[1]:{0:0:0:0:}

   RNG                  1          0 0

   SSL3_GENMS           1          0 0

   SSL3_GENKM           1          0 0

   TLS_GENMS            1          0 0

   TLS_GENKM            1          0 0

   PKCE_1024            1          0 0

   PKCE_2048            1          0 0

   PKCE_4096            2          0 0

   CRT_PARAM_1024       1          0 0

   CRT_PARAM_2048       1          0 0

   CRT_PARAM_4096       2          0 0

   CRT_1024             1          0 0

   CRT_2048             1          0 0

   CRT_4096             2          0 0

   EC_SIGN              3          0 0

   EC_VERIFY            3          0 0

   ECSKEY               3          0 0

   NID_aes_128_sha1     1          0 0

   NID_des_ede3_cbc     1          0 0

   NID_des_cbc          1          0 0

2. If you doubt that the hardware SSL card has some problem, you can disable it and try if the software SSL works well with below command:

   ##Enable high-compatibility-mode will turn off hardware SSL card

   FortiWeb# dia de sslhardwarestatus show

   proxyd using intel engine

   FortiWeb # config server-policy setting

   FortiWeb (setting) # set high-compatibility-mode enable

   FortiWeb (setting) # end

   high compatibility mode:This operation will restart proxyd and clear the current connection!

   Do you want to continue? (y/n)y

   FortiWeb # show server-policy setting

   config server-policy setting

   set high-compatibility-mode enable

   end

   FortiWeb # diagnose debug sslhardwarestatus show

   proxyd not using engine

3. Check more detailed infomation in dmesg or /var/log/dmesg/kern.log:

   [   50.617068] Loading QAT CONTIG MEM Module ...

   [   50.893620] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

   [   51.508620] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines

   [   51.859112] igb 0000:02:00.0 mgmt1: igb: mgmt1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

   [   51.862020] QAT: Stopping all acceleration devices.

   [   51.862029] c6xx 0000:1a:00.0: qat_dev0 stopped 8 acceleration engines

   [   51.862324] c6xx 0000:1a:00.0: Resetting device qat_dev0

   [   51.862325] c6xx 0000:1a:00.0: Function level reset

   [   51.965722] c6xx 0000:1b:00.0: qat_dev1 stopped 8 acceleration engines

   [   51.965811] IPv6: ADDRCONF(NETDEV_CHANGE): mgmt1: link becomes ready

   [   51.966034] c6xx 0000:1b:00.0: Resetting device qat_dev1

   [   51.966034] c6xx 0000:1b:00.0: Function level reset

   [   53.071493] c6xx 0000:1a:00.0: Starting acceleration device qat_dev0.

   [   53.334619] c6xx 0000:1a:00.0: qat_dev0 started 8 acceleration engines

   [   53.688343] c6xx 0000:1b:00.0: Starting acceleration device qat_dev1.

   [   53.951619] c6xx 0000:1b:00.0: qat_dev1 started 8 acceleration engines