| Description | This article describes the conditions under which FortiGate may deny a GTP packet with the log message deny_cause: invalid-msg-length. It explains how FortiCarrier checks the GTP length field and message size, and outlines the common scenarios where mismatches or out-of-range values lead to packet rejection. |
| Scope | All FortiCarrier. |
| Solution |
invalid-msg-length deny can occur in two cases:
Case 1: Mismatch between GTP length field and actual packet size. This happens when the length field inside the GTP header does not match the real size of the message. According to the GTP RFCs: For GTPv1, the length covers everything after the first 8 bytes of the header (including sequence numbers, N-PDU, and any extension headers). For GTPv2, the length covers everything after the first 4 bytes of the header (including TEID if present, sequence numbers, and the payload).
In the below example, the Length parameter in the GTP payload is 8 bytes, but the actual payload is 6 bytes:
This GTP message is denied with the following log:
Case 2: GTP message size outside the allowed range. FortiCarrier uses the GTP profile to define acceptable message size limits through two parameters:
If a GTP message is smaller than the minimum or larger than the maximum, FortiCarrier will reject it and log invalid-msg-length. For example, if a packet arrives with a payload length of 3465, it exceeds the default maximum (1452) and will be denied :
This packet is denied with the following log:
 |
