Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kyozloveyou_FTNT
Staff
Staff

Created on ‎07-05-2022 02:18 AM Edited on ‎03-13-2024 10:24 PM By Community Manager

Article Id 216754

Technical Tip: FortiGate GRE tunnel with PMTU (Path MTU)

Description

 

This article describes how FortiGate discovered the MTU for the GRE tunnel.

 

Scope

 

FortiGate running on Kernel Version below 4.19. (Route cache has been removed in kernel version 4.19 and above)

 

Solution

 

Initially, FortiGate will get the interface MTU value as the PMTU value for the GRE tunnel.

 

For example, if a FortiGate setup a GRE tunnel on a WAN interface with a default MTU which is 1500, it will get the MTU value as 1500 for GRE tunnel.

 

The following commands is to view the MTU of GRE tunnel:

 

diagnose ip rtcache list

 

...

family=02 tab=254 vrf=0 vf=1 type=01 tos=0 flag=00000200

(Local Gateway IP)@0->(REMOTE GATEWAY IP)@38(<interface which form GRE tunnel>) gwy=10.26.3.20 prefsrc=0.0.0.0

ci: ref=0 lastused=0 expire=87 err=00000000 used=803 br=0 pmtu=1500 <==This is the MTU of the FGT

...

 

 

Note: if the command output is too long, it is possible to use a filter by using the' | ' grep feature.

grep

 

FortiGate will also change the PMTU value from time to time when there is an ICMP 'Fragmentation Needed' error received with 2 criteria:

 

  1. FortiGate will check on the next hop MTU value in the ICMP 'Fragmentation Needed' error:

 

irfan_FTNT_1-1657012510208.png

 

 

  1. FortiGate will see the packet length of the ; Fragmentation Needed' error:

 

irfan_FTNT_0-1657012368575.png

 

 

In this case, the ICMP Fragmentation needed an error packet showing the packet length was 128bytes, therefore, FortiGate will change the PMTU value to 552 (minimum MTU value):

 

diagnose ip rtcache list

...

family=02 tab=254 vrf=0 vf=1 type=01 tos=0 flag=00000200

(Local Gateway IP)@0->(REMOTE GATEWAY IP)@38(<interface which form GRE tunnel>) gwy=10.26.3.20 prefsrc=0.0.0.0

ci: ref=0 lastused=0 expire=87 err=00000000 used=803 br=0 pmtu=552 <== This is the MTU of the FGT

...

 

This command would work for FortiOS running in older kernel versions. This command will not work in FortiOS running with kernel v4.19 and above as the route cache has been removed. Refer to the following article:

Troubleshooting Tip: Route cache is removed from FortiGates running new kernel version 

In general, F series FortiGates running on v7.x will contain the new kernel.

4276
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.