Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pdhillon
Staff
Staff

Created on ‎06-25-2025 09:57 PM Edited on ‎06-26-2025 06:02 AM By Moderator

Article Id 396854

Troubleshooting Tip: MTU calculations for IPsec tunnel on NPU interface

Description This article describes the issue that occurs when a tunnel is created on an NPU interface; it inherits the MTU settings from the parent interface, which can cause problems in certain environments.
Scope FortiGate
Solution

In the example below, the tunnel is created on the Vlan_10 interface, which has an MTU value of 16090. Once an IPsec tunnel is created on the VLAN interface, it inherits the value from the NPU interface.

 

Interface Vlan_10 is created on the NPU interface:


show system interface
"Vlan_10"
    set vdom "Test"
    set ip 1.1.1.1 255.255.255.252
    set allowaccess ping
    set device-identification enable
    set snmp-index 55
    set interface "npu0_vlink1"
    set vlanid 10
    next
end


MTU of Vlan_10:


FortiGate# fnsysctl ifconfig VLAN_10
VLAN_10 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx
inet addr: 1.1.1.1 Bcast: 1.1.1.2 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:16090 Metric:1
RX packets:1964 errors:0 dropped:0 overruns:0 frame:0
TX packets:2555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1201385 (1.1 MB) TX bytes:833542 (814.0 KB)


Tunnel config:


FortiGate# config vpn ipsec phase1-interface
    edit "Tunnel"
        set interface "VLAN_10"
        set ike-version 2
        set peertype any
        set net-device enable
        set proposal aes256-sha512
        set dhgrp 14
        set remote-gw 10.9.10.5

 

     FortiGate# diagnose vpn tunnel list name 'Tunnel'

list ipsec tunnel by names in vd 1
------------------------------------------------------
name=Tunnel ver=2 serial=1 1.1.1.1:4500->10.9.10.5:4500 nexthop=1.1.1.2 tun_id=10.9.10.5 tun_id6=::10.9.10.5 status=up dst_mtu=16090 weight=1 
bound_if=63 real_if=63 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=6 ilast=6 olast=6 ad=/0
stat: rxp=943 txp=4987 rxb=1270484 txb=70860
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=4500
fec: egress=0 ingress=0
proxyid=Test proto=0 sa=1 ref=3 serial=1
src: 0:172.19.0.0-172.19.0.255:0
dst: 0:172.20.0.0-172.20.0.255:0
SA: ref=6 options=10226 type=00 soft=0 mtu=15998 expire=27274/0B replaywin=2048 >>>> MTU
seqno=e8e esn=0 replaywin_lastseq=00000299 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=28497/28800
dec: spi=aaaaaa esp=aes key=32 49127d12d410f80e15e72

337946fc5f23099a8072f28044c3434ecda5c89860a
ah=sha512 key=64 17a4182eef2b825b7cfd935f33caa9af2b19

1c1ea06cb79fc2db0fed3108da9dc134742ef6f49667

fb57e601903314388ae822c3b77293fe41dfa71dd2fcb65a
enc: spi=bbbbbb esp=aes key=32 fbe0224538b2b4d418da6b2

21f7cf8006e7c7b50274e22d5c51eadb226bf2d91
ah=sha512 key=64 2a6c8ea7fe807829cf0187fe40b9ca930cf68cd376fc12e0324d

187d21c277fac156c88721e409310f49ac676344a6

fba38c3772cb57c4efd9be1adb7f1c4fcb
dec:pkts/bytes=3/156, enc:pkts/bytes=394/101672
npu_flag=03 npu_rgwy=10.9.10.5 npu_lgwy=1.1.1.2 npu_selid=0 dec_npuid=1 enc_npuid=1 npu_isaidx=3 npu_osaidx=1


Note:

This command will display the different (non-inherited) MTU value. This value only affects the local traffic, and the MTU shown by 'diagnose vpn tunnel list' affects the traffic flowing through FortiGate.

 

FortiGate# fnsysctl ifconfig Tunnel

Tunnel Link encap:Unknown
inet addr:172.20.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1 
RX packets:79328431 errors:75 dropped:0 overruns:0 frame:0
TX packets:220884114 errors:596 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4717108291 (4.4 GB) TX bytes:141188768890 (131.5 GB)


To resolve the issue, the only option is to manually correct the MTU on the parent interface. In this case, it is VLAN_10. The best approach is to calculate the correct underlying interface manually and adjust the value.

 

FortiGate # config system interface
    edit "VLAN_10"
        set mtu 1500
    next
end

 

Tunnel MTU adjusted after making changes on the Parent interface:

 

Fortigate # diagnose vpn tunnel list name 'Tunnel'
list ipsec tunnel by names in vd 1
------------------------------------------------------
name=Tunnel ver=2 serial=1 1.1.1.1:4500->10.9.10.5:4500 nexthop=10.42.200.1 tun_id=10.9.10.5 tun_id6=::10.9.10.5 status=up dst_mtu=1500 weight=1
bound_if=63 real_if=63 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=6 ilast=6 olast=6 ad=/0
stat: rxp=943 txp=4987 rxb=1270484 txb=70860
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=4500
fec: egress=0 ingress=0
proxyid=EXT-VPN-FRP-HAL-P2 proto=0 sa=1 ref=3 serial=1
src: 0:172.19.0.0-172.19.0.255:0
dst: 0:172.20.0.0-172.20.0.255:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1406 expire=27274/0B replaywin=2048

 

The following KB article can be used to calculate the MTU using ping with specific byte sizes:
Technical Tip: How to use ping with data-size  
389
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.