Created on 07-05-2022 02:18 AM Edited on 03-13-2024 10:24 PM By Anthony_E
This article describes how FortiGate discovered the MTU for the GRE tunnel.
FortiGate running on Kernel Version below 4.19. (Route cache has been removed in kernel version 4.19 and above)
Initially, FortiGate will get the interface MTU value as the PMTU value for the GRE tunnel.
For example, if a FortiGate setup a GRE tunnel on a WAN interface with a default MTU which is 1500, it will get the MTU value as 1500 for GRE tunnel.
The following commands is to view the MTU of GRE tunnel:
diagnose ip rtcache list
...
family=02 tab=254 vrf=0 vf=1 type=01 tos=0 flag=00000200
(Local Gateway IP)@0->(REMOTE GATEWAY IP)@38(<interface which form GRE tunnel>) gwy=10.26.3.20 prefsrc=0.0.0.0
ci: ref=0 lastused=0 expire=87 err=00000000 used=803 br=0 pmtu=1500 <==This is the MTU of the FGT
...
Note: if the command output is too long, it is possible to use a filter by using the' | ' grep feature.
FortiGate will also change the PMTU value from time to time when there is an ICMP 'Fragmentation Needed' error received with 2 criteria:
In this case, the ICMP Fragmentation needed an error packet showing the packet length was 128bytes, therefore, FortiGate will change the PMTU value to 552 (minimum MTU value):
diagnose ip rtcache list
...
family=02 tab=254 vrf=0 vf=1 type=01 tos=0 flag=00000200
(Local Gateway IP)@0->(REMOTE GATEWAY IP)@38(<interface which form GRE tunnel>) gwy=10.26.3.20 prefsrc=0.0.0.0
ci: ref=0 lastused=0 expire=87 err=00000000 used=803 br=0 pmtu=552 <== This is the MTU of the FGT
...
This command would work for FortiOS running in older kernel versions. This command will not work in FortiOS running with kernel v4.19 and above as the route cache has been removed. Refer to the following article:
Troubleshooting Tip: Route cache is removed from FortiGates running new kernel version
In general, F series FortiGates running on v7.x will contain the new kernel.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.