| Description | This article describes how to prevent activation loops when using a connection type like PPPoE or similar, where the license activation fails due to additional headers introduced by this technology. |
| Scope | FortiGate VM, FortiGate Physical Appliances. |
| Solution |
It may be necessary to lower the tcp-mss value under the VLAN/physical interface used to contact the FortiGuard Servers.
Symptoms:
When trying to upload the license on FortiGate, it will display this loading page that will never prompt the admin login page:
Analysis: Use this command:
diagnose debug application update -1 diagnose debug enable
To stop the debug, run the commands 'diagnose debug application update 0' and 'diagnose debug disable'.
Check the following message:
FGVM02TM24015196 # upd_pkg_recv[1304]-Error receiving pkg header len=0 hdr=64
Using a packet capture, observe that FortiGate is attempting to send packets larger than the MTU size (1514 bytes) destined for FortiGuard Servers.
Resolution: Under the interface used to reach the FortiGuard Servers:
config system interface edit <interface> set tcp-mss <value> next end
Now the traffic is sent/received without problems, and the license should be activated:
Note: By default, the FortiGate adjusts the TCP-MSS value to 1460. In this case, it is insufficient because PPPoE adds an extra 8 bytes to the header. As a result, the total MTU becomes 1460 (payload) + 40 (TCP+IP header) + 8 (PPPoE header) = 1508 bytes, which exceeds the maximum MTU supported. To avoid exceeding the Maximum Transfer Unit (MTU), the TCP-MSS value should be properly adjusted. Additionally, the actual packet size might be larger than expected based on the calculation above. This is because it also depends on factors such as the cipher suites used, particularly for HTTPS traffic (e.g., port 443 in this example). Remember that the tcp-mss is only negotiated at the very initial stage of the TCP connection (SYN). |
