FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 211663
Description This article describes the situation where there is a need to customize the DSCP configuration at FortiGate.

Many times there is a situation where the IPSEC tunnel is stable and routing/policy is also correctly configured but even after that traffic is unable to reach the destination.


The encrypted packets are incrementing and as per sniffer packet is also leaving the exit interface correctly but the other side has not received the packet.

The same issue is reported at the other end as well.


Especially for a TCP connection, there are a lot of TCP sync retransmission in Wireshark since the handshake was never completed due to this.


Custom DSCP/TOS marking from the source machine in a data packet may cause mismatched marking on the receiver's end.

To overcome this situation, it is worth administering the below commands in both ingress and egress ipv4 policy on both the ends of the tunnel.

# config firewall policy
    edit <id>
        set vlan-cos-fwd 0
        set diffserv-forward enable
        set diffservcode-forward 000000
        set diffservcode-rev 000000

In the case of policy routing, this mismatch can also occur if the ISP assigns a different queue to each TOS value, and then based on the configuration it will be allowed/denied/or put to the low priority queue.

In this case, it's worth checking with the ISP about what is TOS configuration on their end.