Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
imathew
Staff
Staff

Created on ‎10-26-2021 05:07 AM Edited on ‎12-15-2021 06:52 AM By Anonymous

Article Id 198748

Technical Tip: Tunnel interface MTU value

Description

This article adds details to tunnel Interface MTU value on IPSEC tunnels. 
 
Customers might notice tunnel interface MTU value being different on both ends or different tunnel interface. 


Solution

Lab_1_FW # diagnose vpn tunnel list name Tunnel_1
 
SA: ref=3 options=18227 type=00 soft=0 mtu=1280 expire=2129/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
 
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0                                         <----- No traffic flow.
 
Lab_1_FW # diagnose vpn tunnel list name Tunnel_2
SA: ref=6 options=18227 type=00 soft=0 mtu=1438 expire=4345/0B replaywin=2048
seqno=2402a esn=0 replaywin_lastseq=00029a80 itn=0 qat=0 hash_search_len=1
 
dec:pkts/bytes=170624/102382930, enc:pkts/bytes=147499/26378994                <----- Traffic flow.
 
It is expected to see the Tunnel SA MTU as 1280 when there is no traffic flow. 
Once traffic starts flowing through the tunnel, SA MTU will be calculated automatically using various methods.
 
The SA MTU will be updated after the first packet traverse the tunnel.
 
Also, the crypto algorithms will influence the ESP header/trailer size, thereby influencing the SA MTU.
Labels:
12698
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.