Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

thedude78
New Contributor

Fortigate 5.4.x and 5.6.x IPv6 Path MTU Discovery issue

Hello,

We are currently running our Fortigate 1500D in transparent mode.  We are running dual stack IPv4/IPv6.

Websites that are hosted on IPv6 work perfectly fine on 5.2.x (Currently running 5.2.11).  Every time we have tried to upgrade to 5.4.x or 5.6 we run into an issue where some websites stop functioning properly.  During the last attempt in May I was able to determine that the sites giving issues are ones where there is a small MTU somewhere along the routing path.  It looks as though the Fortigate is not handling ICMPv6 type 2 "Packet too large" notifications properly and so the requests are never resent to the webserver with a smaller packet size.  We have gone as far as to create a test rule that would specifically allow these ICMPv6 packets through the Fortigate.

I am wondering if anyone has ever run into this with FortiOS 5.4.x?

 

 

1 REPLY 1
thedude78
New Contributor

Fortinet has confirmed this issue is a bug in 5.4.x and later versions of code for Fortigate, when running in transparent mode.  They have been able to use our configuration to reproduce this issue in their labs. I would assume R&D will eventually release a fix for bug ID 0441744.
We have been told that this only impacts IPv6 traffic when in transparent mode.  I have switched our configuration around to use a Routed VDOM and will attempt the upgrade to 5.6 next week.  I will verify when done to confirm if the issue rears it's ugly little head again.

Dan

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.