Skip to main content
GaryMBD
GaryMBD
New Member
October 2, 2024
Solved

Problems with setting MTU

  • October 2, 2024
  • 2 replies
  • 11777 views

Greetings Forti Community,

 

I use a web application that I reach on a IP address in my company network over IPsec VPN.

It appears that the application sends a HTTP POST request to the server that can't get through the VPN tunnel, because the package is to big. 

After I change my client VPN network interface to MTU 1350, it can send the package and the access works. I change it with the following command:

netsh interface ipv4 set subinterface "Ethernet 3" mtu=1350 store=persistent 

After that I've tried to set the MTU of the VPN IPsec Tunnel to 1350 and restart my client, I still couldn't access the web application. I've also tried different MTU values on the Firewall, but it didn't really change anything. Only if I do it on the client per command line.

If I restart my client and start the FortiClient VPN, it seems that this resets my MTU on my client VPN network interface. So I'd have to execute the command to change my client MTU every time after I start the FortiClient.

 

Does anyone know how to set the MTU for the FortiClient, so my network interface always get the correct value, or how to get this to work on the Firewall?

 

Thank you very much for your help in advance!

Best,
Gary

Best answer by johnathan

I'm not seeing any way to adjust this automatically in the FortiClient unfortunately. 
You may be able to adjust the TCP-MSS value in the SSLVPN's Firewall Policy instead. 
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

2 replies

johnathan
Staff
johnathanAnswer
Staff
October 2, 2024

I'm not seeing any way to adjust this automatically in the FortiClient unfortunately. 
You may be able to adjust the TCP-MSS value in the SSLVPN's Firewall Policy instead. 
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

Never trust a computer you can't throw out a window.
    GaryMBD
    GaryMBDAuthor
    New Member
    October 7, 2024

    Thanks for this! But my VPN Tunnel is IPSec. It seems that I don't have the option to edit the MSS value there, am I correct?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 7, 2024

    Read the KB @johnathan posted. The MSS adjustment is done at the policies handling IPSec traffic. Not at the interface.

    Toshi

      arahman
      Staff
      arahman
      Staff
      October 7, 2024

      Hi, it can also be done on the interface level, as shown in the article below 

      https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/596096/interface-mtu-packet-size

      Terms & ConditionsAccessibility statement