Troubleshooting Tip: How to identify MTU in the path causing traffic issue from FortiGate
Description
This article describes how to identify MTU issues in upstream and downstream devices causing traffic problems using the Firewall CLI.
Scope
FortiGate.
Solution
In the CLI, use the 'execute ping-options data-size' command and initiate a ping to the destination.
Here's an example where the ISP router had an MTU issue, which caused overall slowness for the LAN users.
FGT_FW # execute ping-options data-size 500
FGT_FW # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 500 data bytes
76 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=19.3 ms
76 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=19.2 ms
76 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=19.3 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 19.2/19.2/19.3 ms
FGT_FW # execute ping-options data-size 600
FGT_FW # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 600 data bytes
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
From the above ping test, it was determined that the upstream device had a misconfigured MTU, which caused the issue.
Once the path MTU is identified, on the interface level, MTU can be changed accordingly with the following commands.
FGT-GRG # config sys interface
FGT-GRG (interface) # edit port1
FGT-GRG (port1) # set mtu-override enable
FGT-GRG (port1) # set mtu
<integer> Maximum transmission unit (68-65535). Default 1500.
In the above case, MTU would be 500+ 8 (ICMP header) + 20 (IP header) = 528 bytes.
The command 'diagnose netlink interface list <interface_name>' can be used to validate if the MTU override adjustment has taken effect.
Related article: