| Description |
This article describes about ICMP error code 3 'Fragmentation Needed'. Some random websites i.e Microsoft Office, dynamics, etc can not be accessed When doing packet capture ICMP Error code is seen.
Path MTU Discovery, is an automatic mechanism to discover the lowest MTU between two endpoints. PMTUD relies on ICMP Type 3 Code 4 messages received from the upstream devices announcing that a packet exceeding the MTU value, needs to be sent out but in a non-fragmented way (due to the 'Don't Fragment' bit set) |
| Scope |
Enabling UTM when using a Site to Site VPN, and user uses VPN tunnel to navigate to external websites there are high chances one will see this error while troubleshooting and access issues on end-users. |
| Solution |
There are 3 possibilities of users can configure:
1) Change TCP MSS on the policy that processes VPN traffic
# config firewall policy end
where tcp-mss-sender : value of the sender's TCP MSS, will modify the TCP MSS field in the TCP syn packet. tcp-mss-receiver : value of the receiver's TCP MSS, will modify the TCP MSS field in the TCP syn packet.
2) In specific cases when a VPN session is offloaded to NPU, honor-df is not possible which means that PMTU discovery fails because honoring packet size is not processed.
# config vpn ipsec phase1-interface
# config system interface edit ipsec-tunnel-1 set mtu-override enable/disable set mtu 1400 -- or other lower value next end |
Related KB Articles
Technical Tip: Disabling NP offloading in security... - Fortinet Community
Technical Tip: Setting TCP MSS value - Fortinet Community
RFC 4821 - Packetization Layer Path MTU Discovery (ietf.org)
Technical Tip: MTU override of IPsec VPN interface - Fortinet Community
Technical Tip: Global setting 'honor-df' explained - Fortinet Community
