Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Biraman
Staff
Staff

Created on ‎08-13-2023 12:20 AM Edited on ‎05-11-2025 03:00 PM By Moderator

Article Id 268521

Technical Tip: Websites may not load after FortiOS firmware upgrade to v7.0.0+, v7.2.0+ or v7.4.0+

Description

This article describes issues that may arise after a firmware upgrade from 6.4.x to 7.0.x,7.2.x, or 7.4.x if the users are accessing public websites over IPsec VPN and a firewall policy is set to flow-based inspection mode with a UTM profile applied to it.

 

Following is an example of a Topology that may encounter the issue:

User ----Local FortiGate =========Site-to-Site IPSec============Remote FortiGate (Inspecting Traffic) ---------Internet------Webserver


The packet captures on the WAN side show FortiGate dropping Server Hello packets received from a web server and responding with ICMP control packets with the error code ‘Fragmentation needed’.  If there is no UTM profiles set on the firewall policy, the same Server hello packets will pass through.

Biraman_0-1691782391767.png

 

MTU settings on all involved interfaces are kept default and in this case, the MTU of the IPSec tunnel interface is 1420 bytes.
Scope

FortiOS 7.0.x, 7.2.x ,7.4.x Flow-based inspection for traffic transiting from IPSec Tunnel to WAN interface.
Solution

Following are the workarounds that can be used:

 

  1. Change the Firewall inspection mode from Flow based to Proxy-based.  This will resolve the issue as FortiGate will Handle TLS negotiation in 2 separate sessions:


config firewall policy
    edit <Policy ID>
        set inspection-mode proxy
   next
end

 

  1. Manually increase the MTU of the IPSec tunnel to 1438 to avoid dropping packets due to Fragmentation:

 

config system interface
    edit <name of IPSec Tunnel>
        set mtu-override enable
        set mtu 1438
    end

 

 

 

  1. Reduce the TCP MSS size at the Policy level so that the web server sends the Server hello with a smaller size.

 

config firewall policy
    edit <Policy ID>
        set tcp-mss-sender 1380
        set tcp-mss-receiver 1380
    next
end

 
2753
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.