Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Staff
Staff

Created on ‎12-29-2023 08:36 AM Edited on ‎11-18-2025 02:14 PM By Community Manager

Article Id 291563

Troubleshooting Tip: How to change the MTU to fix an ESP fragmentation Issue

Description This article describes how to fix an ESP fragmentation issue by changing the MTU size.
Scope FortiGate.
Solution

When traffic is sent to the IPSec tunnel from the local FortiGate and it is not received by the remote FortiGate, it is possible to run a sniffer in the remote FortiGate to check the ESP packet to see if there is an error or drop in the ESP packet.


diagnose sniffer packet any 'host 192.168.10.10 and proto 50' 4

 

Where 192.168.10.10 is the FortiGate that initiates traffic.  

 

If there is ESP fragmentation, for example:


9074041-5.png
The original direction traffic is fragmented, but the reply traffic is fine.

 

The user can reduce the MTU in the IPsec VPN tunnel interface in the source FortiGate 192.168.10.10:


config system interface

    edit <tunnel interface>

        set mtu-override enable

        set mtu <integer>

    next

end

 

To fine-tune the MTU and use the maximum possible value, a tool to verify the maximum MTU can be used, for example, this document: mturoute.exe - Debug the MTU values between you and a host.

From the maximum allowed MTU, the IPsec header overhead should be removed.
Labels:
3318
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.