I have a Fortigate201E. I setup port 15 to have IPSEC tunnel to another Huawei FW, with a fiber link. The IPSEC tunnel is setup correctly and both phase 1 and 2 is up
I want to connect a wireshark and monitor the link for any drop packet or error. How do I do that?
Thanks for any help.
The reason why I want to monitor the link, is because someone told me the current MTU size of 1500 might be reduced with IPSEC tunnel overhead? not sure if this is true.
By default the MTU of an IPsec VPN Interface is dynamically calculated, this is to accommodate the additional overhead added by IPSec encryption. Below articles explains the details.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Tunnel-interface-MTU-value/ta-p/198748
https://www.fortinetguru.com/2019/06/ipsec-vpn-concepts-3/5/
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi Suraj
So does it means I do not have to manually set MTU on that IPSEC tunnel interface?
Thanks for advice.
That is correct. Unless you are facing some issues with traffic and the corresponding troubleshooting points fragmentation issues, you may leave the settings/values as it is.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Created on
08-27-2023
10:07 PM
Edited on
08-27-2023
10:09 PM
By
Anthony_E
I have not confirmed if there's any fragmentation on the wireshark. Still in the process of confirming. Will reply once I got any update. Thanks for your advice.
Regards,
Kwang Heng
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.