Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RudiScott
New Contributor

VPN tunnel connected but not working

Good day,

 

I have an IPSEC tunnel created between my head office running a FortiGate FW and my branch running a Sophos FW. 

The tunnel is connected and I am able to ping devices between the 2 offices over the tunnel. I am however having issues accessing anything over the tunnel, I can browse any device web interfaces over the tunnel as well as access any shares. 

Any suggestions as to where the issue could be? 

 

Thanks in advance 

1 Solution
anikolov
Staff
Staff

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/...

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

Aleksandar Nikolov

View solution in original post

3 REPLIES 3
sagha
Staff
Staff

Hi RudiScott

 

This could be related to either MTU or related to the ISP dropping ESP packet. 

 

1. For MTU, you can lower is either on the policy or on the tunnel interface directly. 

2. For ISP dropping packets, you can try and enable NAT-t forced and restart the tunnel. 

 

Hope this helps. 


Thank you. 

Shahan

RudiScott

Hi Shahan, 

 

Thank you for the reply. I have confirmed with the ISP that they are not dropping packets. 
Can you please share some more insight on how to check the MTU size and how to change it? 
I am quite new to Fortigate

 

Thanks 

anikolov
Staff
Staff

Hello Rudi,

 

You can check the MTU using the commands from:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Network-Interface-Card-NIC-commands/...

 

To change the MTU, please use the following KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-MTU-override-of-IPsec-VPN-interface/ta-p/1...

 

Or to change it in a policy:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value

 

Regards,

Aleksandar Nikolov
Labels
Top Kudoed Authors