Skip to main content
ppatel
Staff & Editor
ppatel
Staff & Editor
December 30, 2021

Technical Tip: Enable path MTU discovery (PMTU)

  • December 30, 2021
  • 1 reply
  • 15504 views
Description

This article describes how to enable path MTU (PMTU) discovery on Fortigate self-originated traffic.
Scope

FortiGate.
Solution
  • On 5.6 and 6.0 FortiOS lines, by default, any self-originated traffic from FortiGate (including proxy) has the DF bit set.

So fragmentation is not allowed along the path to the server which automatically triggered path MTU discovery when the intermediate router's MTU is smaller and thus FortiGate adjusted the packet size.

 

  • FortiOS v6.2 onwards, DF bit is not set for self-originated traffic. Path MTU discovery can be configured as below:

 

config system global
    set pmtu-discovery enable | disable (Disabled by default)

    set send-pmtu-icmp enable | disable (Enabled by default)
end

1 reply

Cristiano1
Cristiano1
Explorer II
May 13, 2026
I encountered a very specific issue in version 7.4.11 on the Fortigat VM-Azure. In older firmware versions like 5.6, enabling PMTU globally makes sense... but it depends on the case... but since I'm having TCP retransmission problems where I'm losing packets, I even enabled MTU on the overlay interfaces and in the policy. I have a slight suspicion about the configured DHs, both auth and crypto AES256 with ikev2, but I don't see the bugs in v4.7.11 FG-VM... has anyone encountered a specific issue in this version?
Terms & ConditionsAccessibility statement