Greetings
Im having some problems with my VXLAN over IPSec implementation. Im able to establish connection to the remote site. Telnet, SSH, RDP, VOIP is working fine but Outlook and some HTTP or HTTPS application don't work. I have read many article about this issue and all says that is a MTU or fragmentation issue. But I follow all the recommendation and nothing seems to work.
First thing I notice is that VPN interface, Software-switch and vxlan mtu were set to 1370. I manage to bring the VPN and vxlan mtu to 9000 and Software-switch to 1500. My physical interface are all set to max mtu (9216). I also disable the honor-df bit but the maximum mtu that i can pass without fragmentation is 1472. And I think that is fine because 1472 + 28(header overhead) = 1500. But still cant get Outlook to work. I also adjust the mss in the policy to 1432 (1472-40). Also I lower my encryption to 3DES SHA1.
My main FW is a 100F and the remote is a 60F. Im runnig 7.2.4.
I will appreciate any information that you can provide
Solved! Go to Solution.
Basically the most important MTU value is the one of the physical link between the two nodes that are doing IPSEC. In the best scenario if that link support more than 1600 bytes you can use the standard 1500 for the encapsulated data. That is not easily achievable in the standard internet. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/38079/vxlan
If you want to make it work quickly you may decrease the MTU directly on the server or lower the MTU on the interface that is the GW for the server: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/596096/interface-mtu-packet-...
and make sure that Path MTU Discovery (PMTUD) can work
Hello JBC,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Basically the most important MTU value is the one of the physical link between the two nodes that are doing IPSEC. In the best scenario if that link support more than 1600 bytes you can use the standard 1500 for the encapsulated data. That is not easily achievable in the standard internet. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/38079/vxlan
If you want to make it work quickly you may decrease the MTU directly on the server or lower the MTU on the interface that is the GW for the server: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/596096/interface-mtu-packet-...
and make sure that Path MTU Discovery (PMTUD) can work
Thanks for the help @Anthony_E @ebilcari
I was able to fix this adjusting the mss on the firewall policy.
Hello @jm-barreto;
I have the same problem. What mss value did you configure in the firewall policies ?
JCPV
Hi
For my scenario the mss value was 1303 and i apply it on receive ant transmit in the firewall policy
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.