| Description | This article describes that he webpage is accessible but some elements such as background images and icons fail to load completely when the web filter is enabled. |
| Scope | FortiGate, |
| Solution |
The issue with the webpage not loading completely might be caused by a mismatch in MSS (Maximum Segment Size) settings.
When a TCP connection is initiated, the end hosts negotiate the initial MSS by considering and comparing their respective MTUs. There could be any network device along the route with a smaller MSS value, in that case, if the packets are too large and fragmentation is not allowed due to the DF (do not fragment) bit being set, the packet can be dropped. This causes delays or issues where some parts of the webpage load, but other parts do not.
To fix this, the TCP MSS setting can be adjusted, by decreasing the MSS value in policy for both sender and receiver and setting the MSS value to 1300.
This can be done using CLI as shown:
config firewall policy
Note: If the firewall receives a packet with a segment size smaller than the MSS configured in the policy, it will not adjust the TCP MSS field. For instance, if the policy sets the MSS to 1300 but the packet arrives with an MSS of 1250, the packet will be forwarded with the original MSS of 1250 without modification.
Related article: |
