Check if FortiGate is configured to fragment the traffic if it is needed.

show | grep honor

show full | grep -f honor

Results are similar to the following:

set honor-df enable/disable    <----- If this is enabled, the FortiGate will honor DF bit in the IP header. If packets arrive with the DF bit not set (i.e., the initiator allows fragmentation), the FortiGate will fragment the traffic if necessary. 

Note: honor-df is a global setting.

MTU Check & Fragmentation:

• If the packet is larger than the interface MTU and the DF (Do Not Fragment) bit is NOT set, FortiGate fragments it.
• If the DF bit is set, fragmentation is not allowed. Instead, FortiGate drops the packet and may send an ICMP 'Fragmentation Needed' message back to the sender.

Forced Fragmentation (Override DF Bit):

FortiGate has a mechanism to override the DF bit when forwarding packets over VPN tunnels (for example, IPsec). If a packet must be fragmented, FortiGate ignores the DF bit and fragments it.

Whether the initiator is configured to allow fragmentation or not can be seen through Wireshark.

Example:

From the CLI:

diagnose sniffer packet any "host x.x.x.x" 6 0 l

When the PCAP file its opened in Wireshark,

Under Internet Protocol Version 4, Src: 10.0.0.0, Dst: 10.0.0.0.

Under the flags section as below:

000. .... = Flags: 0x0

0... .... = Reserved bit: Not set

.0.. .... = Don't fragment: Not set <-----

..0. .... = More fragments: Not set

To see the correct MTU size.

From commands, run the ping:

ping -n 1 -l 4000 xx.xx.xx.xx

destination IP is xx.xx.xx.xx, <----- 4000 is the size of the packet, use a larger packet size if it is needed.

To clarify what this command is doing in detail:

ping: This is the command that sends ICMP Echo Request packets to a specified network host.

-n 1: This specifies that only 1 ping request should be sent. Normally, ping sends 4 requests by default.

-l 4000: This sets the packet size to 4000 bytes. The default packet size is 32 bytes, so this option is used to send a larger packet to test network performance under a bigger load. The maximum packet size that can be sent using the ping command is 65,500 bytes.

However, when testing jumbo frames, the effective limit for the ping command is approximately 8,972 bytes. This size accounts for the overhead in a 9,000-byte Ethernet jumbo frame, which is typically used for such testing.

On the FortiGate:

diagnose sniffer packet any "host xx.xx.xx.xx and icmp" 4 10 1

destination IP is xx.xx.xx.xx

Run a sniffer first and initiate a ping at the same time.

The correct size that is passing through the FortiGate will be seen in the output.

To stop the sniffer in the end, press Ctrl + C.

Note:

FortiGates do not record traffic logs for sessions offloaded to FortiGate NP processors.

How to disable NPU offloading:

config firewall policy

    edit ID <----- Policy ID here.

    set auto-asic-offload disable

end

To check the MTU size configured on the firewall:

show system int portX

show full system int portXX | grep mt

diag netlink interface list portX

Replace XX with the port in use.

For additional guidance on isolating the issue and implementing the solutions discussed above, refer to the following article: Technical Tip: Destination unreachable (Fragmentation needed).

Related documents:

Technical Tip: Destination unreachable (Fragmentation needed)

Disabling NP offloading for firewall policies