Skip to main content
kael_wang
kael_wang
New Member
May 11, 2018
Question

IPsec MTU Fragment issue

  • May 11, 2018
  • 1 reply
  • 19263 views

Dear ALL,

 

  My company move to new place recently, assume new office is site A, web server is site B, and everything are same except two new fd200d(copy setting from 140d) but now we cant access to our web server anymore.

  I checked ipsec tunnel mtu is 1438, our desktop is 1500, and wireshark shows tcp fragment, 

  I try to set desktop mtu to 1420 and it works.

 

  Question is

  1.Is there any different between 140d and 200d? (same setting but new mtu problem in new office)

  2.My boss dont want to change desktop mtu and specify tunnel mtu, any other option?

 

Many thanks.

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 11, 2018

    What version of FortiOS were/are they running? Earlier version for 5.4 had some fragmentation issues.

    emnoc
    emnoc
    New Member
    May 11, 2018

    Don't change the   desktop(s)  MTU, just  uses the set tcp-mss in the firewall policies for the traffic from desktop 2 webserver(s)

     

    http://socpuppet.blogspot.com/2013/05/tcp-mss-adjusment-fortigate-style.html

     

    NOTE: that only helps on tcp-based traffic

     

     

    Ken

    kael_wang
    kael_wangAuthor
    New Member
    May 12, 2018

    TO Toshi Esumi : v5.2.13,build762 (GA)

     

    Thank you for answer my question, I found out what is going on.....

    I turned off "Avast Free Antivirus Web Shield" , with MTU 1500 on desktop and didn't change anything on 200d,

    no more fragment in Wireshark, I can access web server successfully.

    It really weird that avast worked just fine at old office, but now looks like avast will check MTU size???

    OR it just 200d vpn ipsec tunnel setting is very different than 140d? 

     

    This is tunnel setting in 200d

    --------------------------

    config vpn ipsec phase1-interface edit "SITE B" set interface "vlan103" set ike-version 2 set keylife 172800 set proposal aes256-sha256 set dhgrp 14 set remote-gw XXXXX set psksecret XXXXX next end

    --------------------------

     

    Thanks for reading this, please help if you have some kind of experience , thank you once again.

    Terms & ConditionsAccessibility statement