FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198748


This article adds details to tunnel Interface MTU value on IPSEC tunnels. 
Customers might notice tunnel interface MTU value being different on both ends or different tunnel interface. 


Lab_1_FW # diagnose vpn tunnel list name Tunnel_1
SA: ref=3 options=18227 type=00 soft=0 mtu=1280 expire=2129/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0                                         <----- No traffic flow.
Lab_1_FW # diagnose vpn tunnel list name Tunnel_2
SA: ref=6 options=18227 type=00 soft=0 mtu=1438 expire=4345/0B replaywin=2048
seqno=2402a esn=0 replaywin_lastseq=00029a80 itn=0 qat=0 hash_search_len=1
dec:pkts/bytes=170624/102382930, enc:pkts/bytes=147499/26378994                <----- Traffic flow.
It is expected to see the Tunnel SA MTU as 1280 when there is no traffic flow. 
Once traffic starts flowing through the tunnel, SA MTU will be calculated automatically using various methods.
The SA MTU will be updated after the first packet traverse the tunnel.
Also, the crypto algorithms will influence the ESP header/trailer size, thereby influencing the SA MTU.