Description | This article describes the situation where there is a need to customize the DSCP configuration at FortiGate. |
Scope | |
Solution |
Many times there is a situation where the IPSEC tunnel is stable and routing/policy is also correctly configured but even after that traffic is unable to reach the destination.
The encrypted packets are incrementing and as per sniffer packet is also leaving the exit interface correctly but the other side has not received the packet. The same issue is reported at the other end as well.
Especially for a TCP connection, there are a lot of TCP sync retransmission in Wireshark since the handshake was never completed due to this.
Custom DSCP/TOS marking from the source machine in a data packet may cause mismatched marking on the receiver's end. To overcome this situation, it is worth administering the below commands in both ingress and egress ipv4 policy on both the ends of the tunnel.
In this case, it's worth checking with the ISP about what is TOS configuration on their end. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.