Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎02-25-2025 07:34 AM

Article Id 378830

Troubleshooting Tip: tcp-mss setting on IPsec VPN interface does not work with IPv6 traffic

Description

This article describes how to handle a situation where, after setting tcp-mss on IPsec VPN interface, it does not work with IPv6 traffic.
Scope

FortiGate v7.2.x.
Solution
  1. In FortiGate, configure IPsec VPN on the FortiGate unit and configure the tcp-mss setting with the following CLI command:

 

config system interface

edit <IPsec VPN interface’s name>

set tcp-mss 1250

next

end

 

  1. Test to ensure that the IPv4 traffic passes. The MSS (Maximum Segment Size) can be limited to 1250.
  2. Test passing the IPv6 traffic. The MSS cannot be limited to 1250: this does not work with IPv6 traffic.

 

To fix this:

 

  1. For a workaround with a temporary fix, configure the tcp-mss sender/receiver settings under the firewall policy via the CLI command instead.

 

config firewall policy

edit <IPsec VPN firewall policy id>

set tcp-mss-sender 1250

set tcp-mss-receiver 1250

next

end

 

  1. For a permanent fix, upgrade FortiGate firmware version to v7.2.11 or above.
219
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.