FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Stephen_G
Moderator
Moderator
Article Id 245146
Description This article describes how to set up a jumbo frame in the IPsec VPN interface in FortiGate.
Scope FortiGate.
Solution

Jumbo frames are used in situations where certain applications (such as the Network File System (NFS)) would benefit from using a large frame size for better throughput.

 

Note: ASIC accelerated FortiGate interfaces supported MTU sizes up to 9216 bytes, such as NP6, NP7, and SOC4 (np6xlite).

 

The MTU size of the IPsec interface is directly dependent on the underlying physical interface (parent interface). This means that if the user attempts to define the MTU as larger than the capacity of the underlying physical interface, the following error occurs:

 

# config sys interface

(interface)# edit <vpn-intf>

(vpn)# set mtu-override enable

(vpn)# set mtu 9000

MTU size not valid. Should be in the range of 68 - 1500.

node_check_object fail! for mtu 9000

 

value parse error before '9000'

Command fail. Return code -2

 

However, the MTU of the tunnel can be adjusted after overriding the MTU in the parent interface.

 

# config sys interface

(interface)# edit <wan>

(wan)# set mtu-override enable

(wan)# set mtu 9000

 

# config sys interface

(interface)# edit <vpn>

(vpn)# set mtu-override enable

(vpn)# set mtu 9000

(vpn)# end

 

To view the interface MTU.

 

# fnsysctl ifconfig

<vpn-intf>

UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1

RX packets:60 errors:0 dropped:0 overruns:0 frame:0

TX packets:61 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:5462 (5.3 KB)  TX bytes:5354 (5.2 KB)

 

# diagnose netlink interface list | grep <vpn-intf>

if=<vpn-int> family=00 type=768 index=22 mtu=9000 link=0 master=0

 

Jumbo frames need to be configured to work on the ingress and egress interfaces of each device along the end-to-end transmission path. Furthermore, all devices in the topology must also agree on the maximum jumbo frame size. If there are devices along the transmission path that have varying frame sizes, fragmentation problems may occur. Additionally, if a device along the path does not support jumbo frames and it receives one, it will drop it.

 

FortiOS supports RFC 1191 'Path MTU Discovery IPv4' and RFC 1981 (PMTU IPv6). PMTUD was developed in order to determine the smallest MTU between two Internet Protocol (IP) hosts, as well as to determine transmit packets size on the network, usually with the goal of avoiding IP fragmentation.

 

This means that when a router attempts to forward an IPv4 datagram (with the DF bit set) onto a link that has a lower MTU than the size of the packet, the router drops the packet and returns an Internet Control Message Protocol (ICMP) 'Destination Unreachable' message to the IPv4 datagram source with the code that indicates 'fragmentation needed and DF set' (type 3, code 4).

 

If PMTUD is enabled on a host, all TCP and UDP packets from the host have the DF bit set.

 

PMTUD is continually performed on all packets because the path between sender and receiver can change dynamically.

 

# config sys global

(global) # set pmtu-discovery enable

 

- enable: Enable path MTU discovery.

- disable:Disable path MTU discovery.

 

(global) # set send-pmtu-icmp enable

 

- enable: Enable sending of PMTU ICMP destination unreachable packet.

- disable: Disable sending of PMTU ICMP destination unreachable packet.

 

See the following article for more information: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-path-MTU-discovery/ta-p/202217.

 

To view the PMTU of the vpn tunnel, list them in the routing cache:

 

# diagnose ip rtcache list

......

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=04000200

192.168.10.2@8(lan3)->192.168.20.1@19(VPN)gwy=10.10.20.2 prefsrc=192.168.10.1

ci: ref=1 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=9000

...

 

family=02 tab=254 vrf=0 vf=0 type=01 tos=0 flag=00000200

192.168.20.1@19(VPN)->192.168.10.2@8(lan3) gwy=0.0.0.0 prefsrc=172.16.16.100

ci: ref=1 lastused=0 expire=0 err=00000000 used=0 br=0 pmtu=9000

......

 

After configuring MTU to support the jumbo frame along the path, more than 1500 bytes can be transferred.

 

# ping 192.168.20.1 -f -l 8000

Pinging 192.168.20.1 with 8000 bytes of data:

Reply from 192.168.20.1: bytes=8000 time=1ms TTL=254

Reply from 192.168.20.1: bytes=8000 time=1ms TTL=254

Reply from 192.168.20.1: bytes=8000 time=1ms TTL=254

Reply from 192.168.20.1: bytes=8000 time=1ms TTL=254

 

# diagnose sniffer packet any 'src 192.168.10.2 and dst 192.168.20.1 and  icmp' 4

interfaces=[any]

filters=[src 192.168.10.2 and dst 192.168.20.1 and  icmp]

0.319335 lan3 in 192.168.10.2 -> 192.168.20.1: icmp: echo request

0.319367 VPN out 192.168.10.2 -> 192.168.20.1: icmp: echo request

1.342267 lan3 in 192.168.10.2 -> 192.168.20.1: icmp: echo request

1.342292 VPN out 192.168.10.2 -> 192.168.20.1: icmp: echo request

2.366502 lan3 in 192.168.10.2 -> 192.168.20.1: icmp: echo request

2.366534 VPN out 192.168.10.2 -> 192.168.20.1: icmp: echo request

3.387329 lan3 in 192.168.10.2 -> 192.168.20.1: icmp: echo request

3.387356 VPN out 192.168.10.2 -> 192.168.20.1: icmp: echo request

 

Since the PMTU value shown is 9000, the MTU can transfer up to 9000 bytes without any fragmentation.

 

# ping 192.168.20.1 -f -l 9050

Pinging 192.168.20.1 with 9005 bytes of data:

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

Packet needs to be fragmented but DF set.

 

Note: it is necessary to enable jumbo frame in the network adapter.

 

Stephen_G_0-1675856572408.png

 

Similarly, virtual interfaces such as VLAN interfaces also inherit their MTU size from their parent interface.

 

Read more about MTU size in the following document:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/596096/interface-mtu-packet-...

 

Note: Do not confuse the frame MTU with the IP MTU. The former refers to the Ethernet frame size and the latter refers to the IP packet size.

- When adjusting the MTU setting on a switch, it usually affects the frame size.

- When adjusting the MTU setting on a router or on any other Layer 3 device, it usually affects the IP packet size.

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPN-tunnel-errors-wi...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-GRE-tunnel-with-PMTU-Path-MTU/ta...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Tunnel-interface-MTU-value/ta-p/198748

 

The content in this article was written by Bijay Prakash Ghising.