In this scenario, the traffic from the Access Point (AP) deployed at the branch must pass through the FortiGate device and be forwarded over the IPsec tunnel to the hub, where it is managed by the Wireless LAN Controller (WLC). The IPsec tunnel serves as the backbone link between the branch AP and the hub WLC.

This means that when a user attempts to connect to the wireless SSID configured with SAML authentication, the authentication process fails. Consequently, the user is unable to complete the login process and does not receive an IP address from the Access Point (AP), resulting in a failure to connect to the SSID.

Upon reviewing the debug logs for IPsec traffic, it was observed that the packet destined for the Wireless LAN Controller (WLC) was dropped due to MTU limitation. 

diagnose debug flow filter addr 192.168.6.6 - WLC Destination

diagnose debug flow trace start 1000

diagnose debug enable

id=65308 trace_id=3128 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=17, 192.168.7.7:5276->192.168.6.6:5246) tun_id=0.0.0.0 from x1. "

id=65308 trace_id=3128 func=resolve_ip_tuple_fast line=5974 msg="Find an existing session, id-01e9f8a2, original direction"

id=65308 trace_id=3128 func=npu_handle_session44 line=1224 msg="Trying to offloading session from x1 to HUB-VPN, skb.npu_flag=00000400 ses.state=04010204 ses.npu_state=0x09003c08"

id=65308 trace_id=3128 func=fw_forward_dirty_handler line=443 msg="state=04010204, state2=00014005, npu_state=09003c08"

id=65308 trace_id=3128 func=ip_session_core_in line=6591 msg="dir-0, tun_id=10.0.0.1"

id=65308 trace_id=3128 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface HUB-VPN, tun_id=10.0.0.1"

id=65308 trace_id=3128 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel HUB-VPN, tun_id=10.0.0.1, vrf 0"

id=65308 trace_id=3128 func=ipsec_common_output4 line=889 msg="fragmentation required but not allowed (mtu 1422, size 1485),drop"

The logs indicated that the packet with a size of 1485 bytes exceeded the tunnel MTU of 1422 bytes, resulting in the 'fragmentation required but not allowed (mtu 1422, size 1485), drop' message.

FortiGate, by default, uses the post-encapsulation fragmentation method for IPsec VPN traffic. In this mode, the firewall encrypts and encapsulates the original packet before any fragmentation decision is made. The packet is then sent to the data layer for transmission and fragmentation. 

In this process, FortiGate compares the size of the encrypted packet against the MTU of the parent interface (typically the WAN interface) and does not reference the tunnel MTU for this comparison. If fragmentation is required and allowed, FortiGate fragments the encrypted ESP packet into multiple packets.

config vpn ipsec phase1-interface

    edit <VHUB-VPN>

        set ip-fragmentation post-encapsulation

    next

end

See Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained.

In this mode, fragmentation of encrypted packets can have significant adverse effects on IPsec. The most critical impact is that all encrypted fragments must be collected before the entire packet can be reassembled. This process adds latency and requires buffer memory to store the fragments prior to processing. Once received, the fragments must be reassembled in the correct order for successful decryption.

Additionally, fragmented IPsec can easily break anti-replay mechanisms. Fragments received outside the anti-replay window are discarded, rendering the packet flow invalid and forcing the originator to retransmit. If fragments continue to arrive outside the anti-replay window, communication fails, and traffic is dropped. Therefore, if fragmentation is expected with IPsec tunnels, it is recommended to disable anti-replay.

To avoid these issues, it is preferable for fragmentation to occur before encryption. FortiGate supports this method, ensuring that the original packet is fragmented as needed while keeping the final encrypted packet (including all ESP header overhead) within acceptable size limits. This calculation is performed in real time during packet processing.

With pre-encapsulation fragmentation, FortiGate checks the original packet size against the tunnel MTU and fragments the packet before encryption, encapsulating each fragment separately. This makes the fragments indistinguishable from other encrypted traffic, preventing intermediate routers from dropping them. In contrast, post-encapsulation fragmentation occurs after encryption, where the encrypted packet is compared to the parent interface MTU and fragmented if necessary.

The benefits of pre-encapsulation:

• The original packet is fragmented according to path MTU.
• Encrypted packet size stays within MTU limits.
• Avoids anti-replay and latency problems caused by post-encryption fragmentation.

config vpn ipsec phase1-interface

    edit <VHUB-VPN>

        set ip-fragmentation pre-encapsulation

    next

end

Lastly, take into account the following hardware acceleration and fragmentation considerations:

• NP6: NP6 powered systems do not support fragment reassembly on ingress. This is true for all traffic, including IPsec. Any fragmented packets received on an ingress interface are sent to the CPU to be processed, which can have adverse affect on performance. Fragmentation on egress is supported both towards the encrypted and clear text side.
• NP7: NP7 powered systems support fragment reassembly on ingress, thus providing hardware acceleration.

See IPsec and packet fragmentation - FortiGate documentation.

Note: Even if the TCP MSS values are changed in the firewall policy, the actual MTU that the source uses still depends on whether the IPsec tunnel uses pre-encapsulation or post-encapsulation fragmentation.

Related article:

Technical Tip: Phase-1 ip-fragmentation post and pre-encapsulation settings and their relation to fi...