FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to detect fragmented packets in a sniffer how to control fragmentation of packets before IPsec encapsulation.
The default MTU size is 1500 bytes.
A fragmentation occurs when a packet exceeds the MTU set on the outgoing interface due to extra bytes added during the encapsulation. Routers can fragment packets unless the Do-Not-Fragment (DF) bit is set to 1 in the IPv4 header. If the DF bit is set to 0 (the default), the FortiGate splits the packet that is too large to fit into the outgoing interface and sends the two packets toward the destination. When the destination receives the two fragments, then the destination's protocol stack has to perform reassembly of the fragments before processing the Protocol Data Unit (PDU).
Some routers, including FortiGate, support Jumbo frames. The requirement to use Jumbo frames (9216 bytes) is to have all the routers in a packet's transition support it. This eliminates the need to reduce the MTU size on the tunnel interfaces, adjust MSS, and alleviate the routers from performing any fragmentation. Note that for PPPoE connections the MTU size has to be lower than 1500 bytes due to header and protocol ID, with other words it has not be greater than 1492 bytes.
When troubleshooting fragmentation issues a full network diagram is needed.
Solution
FGT # diag sniffer packet any "udp" 4 0 a interfaces=[any] filters=[udp] 2015-02-18 09:28:00.095018 wan1 in 10.108.16.82.9388 -> 255.255.255.255.9388: udp 2394 (frag 37572:1472@0+) 2015-02-18 09:28:00.095111 wan1 in 10.108.16.82 -> 255.255.255.255: ip-proto-17 (frag 37572:930@1472)
IP datagram with ID=37572 was fragmented into two fragments:
- First fragment has a size of 1472 bytes. - Second (and last) fragment has a size of 930 bytes.
Total size of the packet is 2402 bytes.
Note. Below option is available starting 6.2 and above.
A new IP fragmentation option has been added to control fragmentation of packets before IPsec encapsulation, which can benefit packet loss in some environments. The following options are available for the IP fragmentation variable.
The following options are available in CLI under:
# config vpn ipsec phase1-interface edit (name) set ip-fragmentation pre-encapsulation <----- This option will fragment before IPsec encapsulation. end
Or.
# config vpn ipsec phase1-interface edit (name) set ip-fragmentation post-encapsulation <----- This option is RFC compliant and will fragment the packets after IPsec encapsulation. end
