The MTU of an IPsec aggregate interface is calculated by an algorithm in FortiOS that uses the MTU of member IPSec tunnel(s) as a key parameter in its calculation.

If there is more than one member and the MTU differs between members, the MTU of any member with the lowest MTU is used to calculate the MTU of the IPsec aggregate interface. This process is automatic and does not require admin intervention.

However, Fortinet has noticed that sometimes, certain conditions or scenarios (such as certain customer settings, underlay link MTUs, differing numbers of members that formed the aggregate IPSec, etc) can make the algorithm calculation result in unexpected or unsuitable values.

This can result in an MTU issue: it may be too large, causing drops if packet fragmentation is not allowed, or too small, making the network usage inefficient.

To address situations like this, it is now possible to manually as of FortiOS v7.2.5/v7.4.0 to set the MTU of an IPSec aggregate interface.

This will be demonstrated with the following setup:

FGT1 ---------------------------FGT2    <-- Sites

7.2.5------------------------------7.2.4    <-- FortiOS versions

vpn1&vpn2-------------vpn1&vpn2    <-- Aggregate VPNs

vpn1(port1)------------vpn1(port1)    <-- member1

vpn2(port1)------------vpn2(port2)    <-- member2

The following screenshots show an IPsec aggregate interface with two members. One FortiGate is on FortiOS 7.2.5 and the other is on 7.2.4.

in 7.2.5, it is possible to assign MTU to the aggregate interface, but this is not possible in 7.2.4.

7.2.5:

7.2.4:

Related article:

Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained.