Good day,
I have an IPSEC tunnel created between my head office running a FortiGate FW and my branch running a Sophos FW.
The tunnel is connected and I am able to ping devices between the 2 offices over the tunnel. I am however having issues accessing anything over the tunnel, I can browse any device web interfaces over the tunnel as well as access any shares.
Any suggestions as to where the issue could be?
Thanks in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Rudi,
You can check the MTU using the commands from:
To change the MTU, please use the following KB:
Or to change it in a policy:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value
Regards,
Hi RudiScott,
This could be related to either MTU or related to the ISP dropping ESP packet.
1. For MTU, you can lower is either on the policy or on the tunnel interface directly.
2. For ISP dropping packets, you can try and enable NAT-t forced and restart the tunnel.
Hope this helps.
Thank you.
Shahan
Hi Shahan,
Thank you for the reply. I have confirmed with the ISP that they are not dropping packets.
Can you please share some more insight on how to check the MTU size and how to change it?
I am quite new to Fortigate
Thanks
Hello Rudi,
You can check the MTU using the commands from:
To change the MTU, please use the following KB:
Or to change it in a policy:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
Please note for the last link, that this is TCP-MSS, which you would have to calculate based on the network characteristics (in the simplest scenario it would be "desired MTU" - (minus) 40 (because of the TCP size) = tcp-mss value
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1518 | |
1018 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.