Skip to main content
YetK
Staff
YetK
Staff
January 16, 2026

Technical Tip: Fragmented UDP packets with payload sizes in 1636–1722 byte range may be dropped

  • January 16, 2026
  • 0 replies
  • 697 views
Description This article describes the details of a known issue that causes packet drops for fragmented UDP packets that have payload sizes in the range 1636–1722 bytes.
Scope IPS profiles used, and NP7 included FortiGates.
Solution

The fragmented UDP packets can be observed in the sniffer for ingress and egress traffic. However, 1700B payload packets are not seen on the test server behind FortiGate. The sniffer observation informs that the fragmented UDP packets have been dropped on NP7.

 

Sample packet captures collected for the issue testing can be found below.

 

Capture from FortiGate for payload 2000B:

 

FortiGate-601F # diagnose sniffer packet any "host 10.75.7.179" 4 0 interfaces=[any] filters=[host 10.75.7.179] 3.155673 port1 in 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 (frag 8359:1480@0+) 3.155676 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 8359:528@1480) 3.155700 port9 out 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 3.155753 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 8360:528@1480) 3.155773 port1 in 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 (frag 8360:1480@0+) 3.155786 port9 out 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 3.155788 port1 in 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 (frag 8361:1480@0+) 3.155790 port1 in 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 (frag 8362:1480@0+) 3.155807 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 8361:528@1480) 3.155812 port9 out 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 3.155814 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 8362:528@1480) 3.155816 port9 out 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 3.155818 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 8363:528@1480) 3.155824 port1 in 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000 (frag 8363:1480@0+) 3.155828 port9 out 10.72.8.100.55526 -> 10.75.7.179.8050: udp 2000

 

Capture from test server for payload 2000B:

 

05:35:49.647948 IP 10.72.8.100.55526 > 10.75.7.179.8050: UDP, length 2000 05:35:49.647951 IP 10.72.8.100 > 10.75.7.179: udp 05:35:49.647953 IP 10.72.8.100.55526 > 10.75.7.179.8050: UDP, length 2000 05:35:49.647954 IP 10.72.8.100 > 10.75.7.179: udp 05:35:49.647956 IP 10.72.8.100.55526 > 10.75.7.179.8050: UDP, length 2000 05:35:49.647958 IP 10.72.8.100 > 10.75.7.179: udp 05:35:49.647960 IP 10.72.8.100.55526 > 10.75.7.179.8050: UDP, length 2000 05:35:49.647961 IP 10.72.8.100 > 10.75.7.179: udp 05:35:49.648312 IP 10.72.8.100.55526 > 10.75.7.179.8050: UDP, length 2000 05:35:49.648313 IP 10.72.8.100 > 10.75.7.179: udp

 

Capture from FortiGate for payload 1700B:

 

FortiGate-601F # diagnose sniffer packet any "host 10.75.7.179" 4 0 interfaces=[any] filters=[host 10.75.7.179] 3.932194 port1 in 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 (frag 13483:1480@0+) 3.932196 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 13483:228@1480) 3.932221 port9 out 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 3.932246 port1 in 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 (frag 13484:1480@0+) 3.932249 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 13484:228@1480) 3.932259 port9 out 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 3.932260 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 13485:228@1480) 3.932296 port1 in 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 (frag 13485:1480@0+) 3.932303 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 13486:228@1480) 3.932303 port9 out 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 3.932305 port1 in 10.72.8.100 -> 10.75.7.179:  ip-proto-17 (frag 13487:228@1480) 3.932306 port1 in 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 (frag 13486:1480@0+) 3.932309 port9 out 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 3.932311 port1 in 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700 (frag 13487:1480@0+) 3.932314 port9 out 10.72.8.100.34014 -> 10.75.7.179.8050: udp 1700

 

Capture from test server for payload 1700B:

 

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 05:38:31.214019 ARP, Request who-has 10.75.7.179 tell 10.75.0.2, length 46 05:38:31.214042 ARP, Reply 10.75.7.179 is-at 00:68:65:6c:09:04 (oui Unknown), length 28

 

Workaround: There are three options to apply the workaround, which can be found below.

 

  1. Disable auto-asic-offload for the rule that UDP fragmented packets pass:

 

config firewall policy     edit <id/name>         set auto-asic-offload disable     next end

 

  1. Remove the IPS profile in the firewall policy rule:

 

config firewall policy     edit <id/name>         unset ips-sensor     next end

 

  1. Enable ip-reassembly on the NPU configuration:

 

config system npu     config ip-reassembly         set status enable     end end

 

Permanent fix: Upgrade FortiGate to v7.4.10, v7.6.5, or v8.0.0.
Terms & ConditionsAccessibility statement