Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problems with Windows Active Directory services th...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with Windows Active Directory services through VXLAN over IPsec VPN
Hello Community.
I would like to ask for your help with a Fortigate 200F (HA- A/A), with FortiOS 7.0.9.
I have an IPsec VPN with a customer, who has a Fortigate 400E on the same Firmware version. Through this IPsec VPN I am extending a vlan via VXLAN (10.100.0.0/23) (Vlan ID 1). The communication between the sites is correct for the computers that are not inside the Domain. This is evidenced, when entering the Domain (It is in Site B- Fortigate 400E), a computer that is in site A (Fortigate 200F). Windows authentication takes at least 30-45 minutes, they never update the GPOs and the client machine performance is super slow. When I remove the client machine from the domain, the machine starts to perform optimally. My suspicion is, that the fortigate has problems handling traffic from Kerberos, LDAP, NetBios, Etc. over VXLAN.
These are my VPN over VXLAN configurations:
config vpn ipsec phase1-interface
edit "VPN_SiteB"
set interface "port14"
set peertype any
set net-device disable
set proposal aes256-sha256
set remote-gw 185.20.X.X
set psksecret ENC PASSWRD
next
end
config vpn ipsec phase2-interface
edit "VPN_SiteB"
set phase1name "VPN_SiteB"
set proposal aes256-sha256
set auto-negotiate enable
next
end
config system switch-interface
edit "SW_VXLAN_1"
set vdom "root"
set member "port17" "VXLAN.1"
next
config system vxlan
edit "VXLAN.1"
set interface "VPN_SiteB"
set vni 1
set remote-ip "10.72.19.2"
next
end
config system interface
edit "VPN_SiteB"
set vdom "root"
set ip 10.72.19.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.72.19.2 255.255.255.252
set interface "port14"
next
edit "SW_VXLAN_1"
set vdom "root"
set ip 10.100.0.253 255.255.254.0
set allowaccess ping
set type switch
next
end
I appreciate your help.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution that worked for me.
After reviewing the case with Fortinet's TAC, we found that the problem was indeed caused by the size of the MTUs. The Windows client machines were trying to send packets with an MTU greater than 1500 and in addition to the payload that is added in the VPN communication (Approx. 28 Bytes), the packet is too big. It was not possible to make the connection work, forcing the MTU Override on the IPsec VPN interfaces, neither on the WAN Interfaces where the VPN was travelling, nor on the LAN interfaces. It was only possible to make the communication work, disabling in both Fortigates "set honor-df disable" with which FortiGate is able to ignore the 'do not defragment' bit of a packet.
Regards.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried configuring MTU for the IPsec interface to a lower value like 1372 if not already ?
---------------------------
geek
---------------------------
geek
---------------------------
---------------------------geek---------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi funkylicious.
I have changed the MTU size on the IPsec VPN interface of site A and site B to (set mtu-override enable, set mtu 1372), but the behaviour is the same. Even when client machines at Site A go to log in while inside the domain (Domain Controller at Site B) it takes 30 to 45 minutes. I have also disabled hardware acceleration within Phase 1 of the VPN at both sites and the behaviour is the same.
I look forward to any other ideas that can help me resolve this.
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know it's a long shot, but have you tried switching to a-p and see if the problem persists ?
---------------------------
geek
---------------------------
geek
---------------------------
---------------------------geek---------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion, I applied it last night on both Firewalls, setting the cluster to Active-Passive mode but the behavior is the same. I have also tried enabling the following with no result:
config vpn ipsec phase1-interface
edit VPN_SiteB
set ip-fragmentation pre-encapsulation
set npu-offload disable
next
end
I am still reviewing the issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solution that worked for me.
After reviewing the case with Fortinet's TAC, we found that the problem was indeed caused by the size of the MTUs. The Windows client machines were trying to send packets with an MTU greater than 1500 and in addition to the payload that is added in the VPN communication (Approx. 28 Bytes), the packet is too big. It was not possible to make the connection work, forcing the MTU Override on the IPsec VPN interfaces, neither on the WAN Interfaces where the VPN was travelling, nor on the LAN interfaces. It was only possible to make the communication work, disabling in both Fortigates "set honor-df disable" with which FortiGate is able to ignore the 'do not defragment' bit of a packet.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
TCP MSS may be helpful.
Thanks
Kangming
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiProxy - how to configure no... 102 Views
- What FortiOS Event Logs should i... 1345 Views
- Fortinet external AD Connector and retrieving... 885 Views
- Woke up today and saw High... 909 Views
- TCP handshake between servers 406 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.