Created on 09-26-2024 02:37 AM Edited on 12-24-2024 12:54 AM By Anthony_E
Description |
This article describes how to see the correct size of the packets that are passing through the Firewall when they are initialized from the requester. |
Scope | FortiGate. |
Solution |
Check if FortiGate is configured to fragment the traffic if it is needed.
show | grep honor show full | grep -f honor
Results are similar to the following: set honor-df enable/disable <-- If this is enabled, FortiGate is not fragmenting the traffic. (If packets are arriving where the initiator is allowing the fragmentation, FortiGate can still fragment the traffic if it is needed).
Whether the initiator is configured to allow fragmentation or not can be seen through Wireshark.
Example:
Under Internet Protocol Version 4, Src: 10.0.0.0, Dst: 10.0.0.0. Under the flags section as below:
000. .... = Flags: 0x0 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set <----- ..0. .... = More fragments: Not set
To see the correct MTU size.
From CMD run the ping:
ping -n 1 -l 4000 xx.xx.xx.xx destination IP is xx.xx.xx.xx, <----- 4000 is the size of the packet, use a larger packet size if it is needed.
To clarify what this command is doing in detail:
ping: This is the command that sends ICMP Echo Request packets to a specified network host.
-n 1: This specifies that only 1 ping request should be sent. Normally, ping sends 4 requests by default.
-l 4000: This sets the packet size to 4000 bytes. The default packet size is 32 bytes, so this option is used to send a larger packet to test network performance under a bigger load. The maximum packet size that can be sent using the ping command is 65,500 bytes. However, when testing jumbo frames, the effective limit for the ping command is approximately 8,972 bytes. This size accounts for the overhead in a 9,000-byte Ethernet jumbo frame, which is typically used for such testing.
On the FortiGate:
diag sniffer packet any "host xx.xx.xx.xx and icmp" 4 10 1 destination IP is xx.xx.xx.xx
Run a sniffer first and initiate a ping at the same time. The correct size that is passing through the FortiGate will be seen in the output.
Note: FortiGates do not record traffic logs for sessions offloaded to FortiGate NP processors.
How to disable NPU offloading:
config firewall poli edit ID <----- Policy ID here. set auto-asic-offload disable end
To check the MTU size configured on the firewall:
show sys int portXX sh full sys int portXX | grep mtu diag netlink interface list portXX
Replace XX with the port in use.
For additional guidance on isolating the issue and implementing the solutions discussed above, refer to the following article:
Related documents: Technical Tip: Destination unreachable (Fragmentation needed) Technical Tip: Finding the MTU of a FortiGate interfaceTechnical Tip: MTU size on a Physical interface is displayed differently to the explicit MTU in PPPo... Technical Tip: Explaining the 'honor-df' global setting Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.