Description | This article describes how to solve a problem related to the SAP application where the 'TCP reset from client' message appears. |
Scope | FortiGate. |
Solution |
This issue is related to problems with the difference between TCP MSS value. If packets are too large and fragmentation is not allowed due to the setting of the DF bit (do not fragment), the packet may be discarded.
Below is an example of a log that is displayed in the traffic logs:
This problem causes connections to the destination to be lost at certain times when the Traffic logs show the message 'TCP reset from client'.
To fix this, the TCP MSS setting can be adjusted via policy or via the tunnel interface or physical interface related to the internet link.
Below is an example of how to perform this via the policy or via the interface, by decreasing the MSS value in the sender and receiver policies, and setting the MSS value to 1300.
config firewall policy
edit <policy id>
set tcp-mss-sender <mss value>
set tcp-mss-receiver <mss value> tcp-mss-sender: value of the sender's TCP MSS, will modify the TCP MSS field in the TCP syn packet
tcp-mss-receiver: value of the receiver's TCP MSS, will modify the TCP MSS field in the TCP syn packet
Note:
This problem is usually related to the ISP's MTU mismatch. Consider the procedures above as a workaround. To obtain more detailed conclusions and confirm whether the packet is being fragmented and causing problems, perform a sniffer with the source/destination IP or port/protocol as below:
diag sniffer packet any 'host 192.168.10.10 and proto 50' 4
Related article: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.