Hi,
I've an IPsec tunnel between two fortigates (FG1 and FG2). FG1 does also have a link to an ISP hence uses a official IP on this interface. If a client connected to FG1 connects to a Server behind FG2 (via another firewall doing anti spoofing) the server for some reason replys with packets exceeding MTU size between FG2 and FG1 and don't fragment bit set these get dropped. In fact it seems like FG1 is dropping it as it is replying with ICMP "need to fragment but don't fragment bit set" set. (Question is why is FG1 replying with this message but not FG2?). However the more important question is as source IP of ICMP message is the one of FG1's external interface how do I change it? Due to the third firewall doing anti spoofing the ICMP packet isn't reaching the server. Any ideas? Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.