Skip to main content
otterit
otterit
New Member
June 8, 2020
Question

Decrease size of Syslog & SNMP to avoid going over IPSEC MTU

  • June 8, 2020
  • 1 reply
  • 3811 views

Hi everyone,

 

I got a Fortigate 60E and I got an issue with the syslog (fortianalyser) & SNMP queries going over what the IPSEC tunnel can do.

 

I have Tx errors on the IPSec interface, which is usually due to MTU issues and that's exactly the case and the culprit are... the FortiGate itself that is sending SNMP & Syslog packets over the 1422 MTU the IPSec tunnel has.

 

The source IP is a Loopback.

 

I couldn't find a way to decrease the size of neither the Syslog or the SNMP messages in FortiOS 6.0.X. I've checked the CLI of 6.2.X but can't find a way either. You cannot set the MTU of a loopback and you can't set the size of the responses in the configuration, or at least I haven't found the setting yet.

 

Have you ever encountered this issue ? and how did you solve it ?

 

PS: I don't really want to set the set honor-df to disable as it will create more workload to reassemble everything.

1 reply

Patel
Patel
New Member
June 12, 2020

Hi,

 

First, change the mode of syslog from UDP to TCP, 

 

# config log syslogd setting

# set mode reliable

# end

 

What I would suggest is that you can try to change the tcp mss value in the policy for the VPN traffic. Try matching the Syslog messages only in that policy for testing.

 

# config firewall policy

# edit <Policy ID>

# set tcp-mss-sender 1000

# set tcp-mss-receiver 1000

# end

 

Let me know if that works or not.

 

Regards,

Patel

 

emnoc
emnoc
New Member
June 12, 2020

tcp-mss adjustment would help on tcp traffic but I'm reliable surprise the fortianalyzer is not already using  tcp to begin with. On SNMP that's all UDP and I personally never seen a packet go over 1200 bytes.

 

 

How you can test the maxsize is to walk the device and look at the packets

 

e.g from a linux device with snmp-utility

 

In one window

 

snmpwalk -c "mystringforcommunity" -v2c x.x..x.x 

 

In 2nd window

 

 tcpdump -nnnvv  -i eth0 host x.x.x.x and port 161 and greater  1200

 

Ken Felix

 

Terms & ConditionsAccessibility statement