Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VXLAN communication not bidirectional between sites


Hello to all,


I have the following problem after implementing VXLAN between two FG-1000D running 7.2.4 OS through an IPsec tunnel (HQ and DR)..(I am in the implementing state so all policies allover are permit all to all):


1. when I login with ssl-vpn through the HQ FortiGate, using the configured policy, I CAN ping ESXi IPs from the remote site (DR) but I cannot access them through https although ALL services are permited on the VPN-> policy and the VWP policy.

On this side, I use and IP-pool to NAT the local VLAN...otherwise ping does not work.


2. When I login with ssl-vpn through DR FortiGate, using the configured policy, I CANNOT ping ESXi IPs from the HQ an also cannot https them.

On this side, if I use or do not use and IP-pool to NAT the local VLAN, the result is always the ping or https.

3. Another mention which I don't know if it's relevant, those two FortiGate clusters are configured in VRRP. Could this be a problem? Could be an interference with the multicast policy for VRRP?


I used this resource for configuring VXLAN through IPsec: 


SO BASICALLY THE CONCLUSION IS I CANNOT FIGURE OUT WHY THE TRAFFIC IS NOT BIDIRECTIONAL (yes, the policy is configured for both ways communication). When using sniffer the echo request goes through the tunnel but no echo reply 


If anyone encountered a similar scenario please help!!!I just don't know what to try anymore...


Thank you,



From my experience on VXLAN deployment the MTU size can cause many unexpected behaviors. 
How did you deal with the MTU size in this setup?
This equates to 50 B of overhead over the original frame: 14 B (Ethernet) + 20 B (IPv4) + 8 B (UDP) + 8 B (VXLAN headers). Since fragmenting a VXLAN packet is not recommended, it is advisable to increase the MTU size to 1550 B or above if possible, or to decrease the TCP MSS size inside a firewall policy.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Thank you, for help.

I changed in my interfaces between 2 sites mtu size from 1500 to 1550, and the problem with https was solved.

Top Kudoed Authors