Skip to main content
caunon
Staff
caunon
Staff
February 25, 2025

Troubleshooting Tip: tcp-mss setting on IPsec VPN interface does not work with IPv6 traffic

  • February 25, 2025
  • 0 replies
  • 2733 views
Description

This article describes how to handle a situation where, after setting tcp-mss on IPsec VPN interface, it does not work with IPv6 traffic.
Scope

FortiGate v7.2.x.
Solution
  1. In FortiGate, configure IPsec VPN on the FortiGate unit and configure the tcp-mss setting with the following CLI command:

 

config system interface

edit <IPsec VPN interface’s name>

set tcp-mss 1250

next

end

 

  1. Test to ensure that the IPv4 traffic passes. The MSS (Maximum Segment Size) can be limited to 1250.
  2. Test passing the IPv6 traffic. The MSS cannot be limited to 1250: this does not work with IPv6 traffic.

 

To fix this:

 

  1. For a workaround with a temporary fix, configure the tcp-mss sender/receiver settings under the firewall policy via the CLI command instead.

 

config firewall policy

edit <IPsec VPN firewall policy id>

set tcp-mss-sender 1250

set tcp-mss-receiver 1250

next

end

 

  1. For a permanent fix, upgrade FortiGate firmware version to v7.2.11 or above.
    Terms & ConditionsAccessibility statement