Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khang8
New Contributor

Is it necessary to fine tune MTU setting for my Fortigate201E (verison 6)

I have a Fortigate201E. I setup port 15 to have IPSEC tunnel to another Huawei FW, with a fiber link. The IPSEC tunnel is setup correctly and both phase 1 and 2 is up

 

I want to connect a wireshark and monitor the link for any drop packet or error. How do I do that?

 

Thanks for any help.

 

5 REPLIES 5
khang8
New Contributor

The reason why I want to monitor the link, is because someone told me the current MTU size of 1500 might be reduced with IPSEC tunnel overhead? not sure if this is true.

srajeswaran

By default the MTU of an IPsec VPN Interface is dynamically calculated, this is to accommodate the additional overhead added by IPSec encryption. Below articles explains the details.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Tunnel-interface-MTU-value/ta-p/198748
https://www.fortinetguru.com/2019/06/ipsec-vpn-concepts-3/5/


Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

khang8

Hi Suraj

So does it means I do not have to manually set MTU on that IPSEC tunnel interface?

 

Thanks for advice.

srajeswaran

That is correct. Unless you are facing some issues with traffic and the corresponding troubleshooting points fragmentation issues, you may leave the settings/values as it is.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

khang8

I have not confirmed if there's any fragmentation on the wireshark. Still in the process of confirming. Will reply once I got any update. Thanks for your advice. 

 

Regards,

Kwang Heng

Labels
Top Kudoed Authors