Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiTester
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiVoice
- FortiWAN
- FortiToken
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Issues with Fortigate 60D IPSec VPN and packet si...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issues with Fortigate 60D IPSec VPN and packet size
We have an issue with IPSec VPN tunnels to new Fortigate 60D units that we do not with the 60C model, same firmware on both and we have tested 5.0.7-9 and 5.2 issue persists in all cases on the 60D.
We have a HQ running an 80C HA cluster which accepts Dialup client connections from a number of remotes site Fortigate 60C and now 60Ds.
The 60D tunnels are established as normal and look OK, however we experience issues with VNC access to these sites, very slow and timing out access to the Fortigate web interface, and timing out to SSH when running commands with large output.
Through flow filters and packet sniffing we have determined that the 60D appears to be dropping packets over a certain size. We can successfully send ICMP packets up to 20996 bytes to the Fortigate itself anything over is received by the 60D but no response is sent. As another test there is a printer onsite, in it' s case any ICMP request over 8192 bytes is received but nothing is sent back.
I have attached the flow filter and sniffer logs.
Any suggestions on settings that may have changed or are new on the 60D that may cause this?
Thanks,
Nathan Emerson
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will these are fragments and fragments are very bad. What I would do is to rule out any ASIC offloading, but 1st do you see problems only with VPN traffic or what about traffic locally that' s none VPN bound?
To disable vpn offload execute the following under your vpn-cfg.
set npu-offload dis
Or for a firewall policy;
set auto-asic-offload dis
Now back to your problem, do you really have packets that big in VNC?
FWIW I could not imagine any icmp pings that needs 8K byte big and a lot of unixes will deny you crafting a packet that big. Nor should you be testing with fragments.
e.g
Request timeout for icmp_seq 0
ping: sendto: Message too long
Request timeout for icmp_seq 1
ping: sendto: Message too long
Request timeout for icmp_seq 2
ping: sendto: Message too long
Request timeout for icmp_seq 3
ping: sendto: Message too long
Request timeout for icmp_seq 4
ping: sendto: Message too long
Request timeout for icmp_seq 5
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
The remote sites ONLY send traffic via the tunnel under normal circumstances. We will arrange a local traffic test.
The dropping of large ICMP packets is the only thing we could find through monitoring flow filter and sniffer traffic to indicate any kind of issue or difference to working sites. As you rightly suspect our normal traffic is usually made up of much smaller packets.
When monitoring the problem traffic otherwise it simply arrives at the remote site and no response is generated from the client device.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What i would do;
1: determine the VPN effective MTU
A mtu ping or unix has this function
2: I would ensure the DF is being cleared
3: You might want to intercept the tcp-msss and adjust the mss size to be less than effect MTU size ( btw mtu and mss are the not the same, but former effects the latter )
than try and monitor the RDP/VNC or whatever traffic your experiencing problems with.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I see this right you' re using policy mode VPN. Might be worth to quickly set up a route-based VPN instead. I' d have the suspicion that there is an inherent limit in p-m VPN and/or the new hardware in the 60D was not reflected correctly in this part of the FortiOS code.
If the latter is probable it may be worth to open a support case to notify the developer team and eventually get a fix.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah...if you are running a policy based VPN go ahead and can it for the routing based. It will make things a lot easier for ya.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Labels
-
FortiGate
9,212 -
FortiClient
1,876 -
5.2
801 -
FortiManager
788 -
5.4
639 -
FortiAnalyzer
593 -
FortiSwitch
504 -
FortiAP
493 -
FortiClient EMS
464 -
6.0
416 -
5.6
362 -
FortiMail
336 -
SSL-VPN
284 -
IPsec
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
220 -
FortiNAC
217 -
5.0
196 -
FortiGuard
148 -
SD-WAN
133 -
6.4
128 -
FortiAuthenticator
126 -
FortiGateCloud
103 -
FortiCloud Products
102 -
FortiSIEM
100 -
Firewall policy
99 -
FortiToken
96 -
Wireless Controller
85 -
Customer Service
81 -
FortiProxy
71 -
High Availability
67 -
4.0MR3
64 -
Fortivoice
60 -
FortiEDR
60 -
FortiADC
56 -
ZTNA
55 -
vlan
54 -
Routing
53 -
DNS
52 -
LDAP
47 -
FortiSandbox
46 -
FortiExtender
46 -
BGP
46 -
RADIUS
45 -
SAML
45 -
Authentication
45 -
NAT
43 -
FortiDNS
42 -
SSO
42 -
Certificate
42 -
FortiGate-VM
41 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
VDOM
34 -
fortilink
33 -
FortiConnect
32 -
Interface
32 -
Application control
32 -
Virtual IP
28 -
FortiWAN
27 -
Logging
27 -
Web profile
27 -
FortiConverter
26 -
FortiGate v5.2
25 -
FortiPAM
24 -
SSL SSH inspection
23 -
FortiPortal
22 -
Fortigate Cloud
21 -
Traffic shaping
20 -
FortiSwitch v6.2
19 -
Automation
19 -
Static route
19 -
FortiMonitor
18 -
SSID
18 -
snmp
17 -
OSPF
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
Admin
14 -
Security profile
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiRecorder
11 -
IPS signature
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
Explicit proxy
10 -
Traffic shaping policy
10 -
FortiAP profile
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Port policy
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Antivirus profile
8 -
Traffic shaping profile
8 -
Web rating
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
API
7 -
trunk
7 -
Users
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
Authentication rule and scheme
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
SDN connector
3 -
Multicast policy
3 -
FortiInsight
2 -
Kerberos
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
File filter
1 -
ICAP profile
1 -
Virtual wire pair
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1923 | |
| 1144 | |
| 769 | |
| 447 | |
| 279 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.