Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Staff
Staff

Created on ‎12-29-2023 08:36 AM

Article Id 291563

Troubleshooting Tip: How to change the MTU to fix an ESP fragmentation Issue

Description This article describes how to fix an ESP fragmentation issue by changing the METU size.
Scope All supported versions of FortiOS.
Solution

When traffic is sent to the IPSec tunnel from the local FortiGate and it is not received by the remote FortiGate, it is possible to run sniffer in the remote FortiGate to check the ESP packet to see if there is an error or drop in the ESP packet.


diag sniffer packet any 'host 192.168.10.10 and proto 50' 4

 

Where 192.168.10.10 is the FortiGate initiates traffic.  

 

If there is ESP fragmentation, for example:


9074041-5.png
Original direction traffic has fragmentation, but reply traffic is fine.

 

The user can reduce the MTU in the IPsec VPN tunnel interface in the source FortiGate 192.168.10.10:


config system interface

edit <tunnel interface>

set mtu-override enable

set mtu <integer>

next

end
Labels:
537
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.