Description

This article explains how to identify MTU issues in upstream and downstream devices causing traffic problems using the Firewall CLI.

Scope

FortiGate.

Solution

In the CLI, use the 'execute ping-options data-size' command and initiate a ping to the destination.

Here's an example where the ISP router had an MTU issue, which caused overall slowness for the LAN users.

FGT_FW # execute ping-options data-size 500

FGT_FW # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 500 data bytes
76 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=19.3 ms
76 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=19.2 ms
76 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=19.3 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 19.2/19.2/19.3 ms

FGT_FW # execute ping-options data-size 600

FGT_FW # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 600 data bytes
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

From the above ping test, it was determined that the upstream device had a misconfigured MTU, which caused the issue.

Once path MTU is identified, on the interface level MTU can be changed accordingly with the below commands.

FGT-GRG # config sys interface

FGT-GRG (interface) # edit port1

FGT-GRG (port1) # set mtu-override enable

FGT-GRG (port1) # set mtu
<integer> Maximum transmission unit (68-65535). Default 1500.

In the above case, MTU would be 500+ 8 (ICMP header) + 20 (IP header) = 528 bytes.

The command 'diagnose netlink interface list <interface_name>' can be used to validate if the MTU override adjustment has taken effect.