Skip to main content
sahmed_FTNT
Staff & Editor
sahmed_FTNT
Staff & Editor
November 24, 2025

Troubleshooting Tip: VXLAN dropping SSL traffic

  • November 24, 2025
  • 0 replies
  • 277 views
Description This article describes how to handle an issue with traffic passing through a VXLAN where SSL traffic fails to load.
Scope FortiGate.
Solution

VXLAN passes all traffic except SSL traffic.

 

Troubleshooting steps:

  • Verify traffic flow with and without UTM.
  • Verify traffic flow in Flow and Proxy mode.

 

If the SSL traffic is failing without UTM as well, run the following sniffer:

 

diagnose sniffer packet any ' host a.a.a.a ' 4 0 l    <----- a.a.a.a is the destination IP.
 
If the sniffer output shows 'Destination unreachable (Fragmentation needed)', verify the following:
 
  • Software switch MTU with VXLAN in the software switch.

 

Change policy TCP-MSS as per the software switch MTU:

 

config firewall policy

    edit 1 <Policy that applies to the affected traffic>

        set tcp-mss-sender 1330

        set tcp-mss-receiver 1330

end

 

Related document:

Troubleshooting Tip: Issues with PMTUD and VXLAN  
    Terms & ConditionsAccessibility statement