Skip to main content
RudiScott
RudiScott
New Member
October 11, 2022
Solved

VPN tunnel connected but not working

  • October 11, 2022
  • 2 replies
  • 2674 views

Good day,

 

I have an IPSEC tunnel created between my head office running a FortiGate FW and my branch running a Sophos FW. 

The tunnel is connected and I am able to ping devices between the 2 offices over the tunnel. I am however having issues accessing anything over the tunnel, I can browse any device web interfaces over the tunnel as well as access any shares. 

Any suggestions as to where the issue could be? 

 

Thanks in advance 

Best answer by anikolov

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/ta-p/195577

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/193388

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

2 replies

sagha
Staff
sagha
Staff
October 11, 2022

Hi @RudiScott

 

This could be related to either MTU or related to the ISP dropping ESP packet. 

 

1. For MTU, you can lower is either on the policy or on the tunnel interface directly. 

2. For ISP dropping packets, you can try and enable NAT-t forced and restart the tunnel. 

 

Hope this helps. 


Thank you. 

Shahan

RudiScott
RudiScottAuthor
New Member
October 18, 2022

Hi Shahan, 

 

Thank you for the reply. I have confirmed with the ISP that they are not dropping packets. 
Can you please share some more insight on how to check the MTU size and how to change it? 
I am quite new to Fortigate

 

Thanks 

anikolov
Staff
anikolovAnswer
Staff
October 18, 2022

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/ta-p/195577

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/193388

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

Terms & ConditionsAccessibility statement