Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RudiScott
New Contributor

Created on ‎10-11-2022 02:49 AM

VPN tunnel connected but not working

Good day,

 

I have an IPSEC tunnel created between my head office running a FortiGate FW and my branch running a Sophos FW. 

The tunnel is connected and I am able to ping devices between the 2 offices over the tunnel. I am however having issues accessing anything over the tunnel, I can browse any device web interfaces over the tunnel as well as access any shares. 

Any suggestions as to where the issue could be? 

 

Thanks in advance 

Labels:
1420
0 Kudos
1 Solution
anikolov
Staff
Staff

Created on ‎10-18-2022 01:32 AM

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/...

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

Aleksandar Nikolov

View solution in original post

1356
0 Kudos
3 REPLIES 3
sagha
Staff
Staff

Created on ‎10-11-2022 04:38 AM

Hi RudiScott

 

This could be related to either MTU or related to the ISP dropping ESP packet. 

 

1. For MTU, you can lower is either on the policy or on the tunnel interface directly. 

2. For ISP dropping packets, you can try and enable NAT-t forced and restart the tunnel. 

 

Hope this helps. 


Thank you. 

Shahan

1407
0 Kudos
RudiScott
New Contributor
In response to sagha

Created on ‎10-17-2022 10:38 PM

Hi Shahan, 

 

Thank you for the reply. I have confirmed with the ISP that they are not dropping packets. 
Can you please share some more insight on how to check the MTU size and how to change it? 
I am quite new to Fortigate

 

Thanks 

1365
0 Kudos
anikolov
Staff
Staff

Created on ‎10-18-2022 01:32 AM

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/...

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

Aleksandar Nikolov
1357
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.