Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RichyRoss
New Contributor III

CAPWAP over IPSec VPN Issues

Hi All, 


Customer is running non forti APs with a Wireless Controller located over an IPSec VPN from my Fortigate to their ASA.

 

AP's are losing their connection to the controller, and the customer is confident the Fortigate isn't sending on CAPWAP traffic. 

 

I thought this might be an MTU issue, with ASA side set to 1500, Fortigate was set to 1420 so I've increased it to 1500 but issue is still ongoing, 


Any ideas, or debugs I can run to help determine the cause?

 

Thanks, 

1 Solution
RichyRoss
New Contributor III

Thanks hbac, found some stale sessions and changed the config to stop this which has worked. 

 

Thanks

View solution in original post

5 REPLIES 5
ebilcari
Staff
Staff

For VPN setups over internet, most ISP will not allow higher values of MTU (more than 1500). What you can do is lower the MTU for the traffic that is going to be encapsulated in the VPN to avoid fragmentations or possible drops. Doing this changes directly on the AP/WLC could be a safer approach but also in FGT you can tune the MTU values for the VPN traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
RichyRoss
New Contributor III

Customer already has lowered the MTU, so this shouldn't be an issue. They believe the Fortigate is dropping DSTL packets. 

 

Any reason for this?

RichyRoss
New Contributor III

Thanks for the reply Emirjon.

 

so change the MTU value on the AP's and WLC to say 1400, and leave the IPSec VPN Interface at 1500?

hbac
Staff
Staff

Hi @RichyRoss,

 

You can run packet captures and debug flows to make sure the traffic is not being blocked. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

RichyRoss
New Contributor III

Thanks hbac, found some stale sessions and changed the config to stop this which has worked. 

 

Thanks

Labels
Top Kudoed Authors