Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

broken websites over Tunnel

Fortigate on FIrmware 7.2.3


I have a mikrotik router connecting to a Fortigate 200HA-Cluster via IPSEC.

The externalSite has multiple Subnets, so a GRE Tunnel (over the IPSEC) connects from the Mikrotikrouter to handle the routingrules on the mikrotikside. 


I have firewallrules, allowing access to different subnet on the externalSite.


One Subnet on the external side should now use the WAN from the mainsite.

I am routing the via the GREoverIPSEC-Tunnel to the Forti and then make a NAT.


This works fine MOSTLY. Latency, performance, etc. everything is fine. (and nearly every other website i tested) works fine.

BUT: a group of specific websites doesnt open at all, i get a timeout.


So opening up eg, oder is not possible.

Maybe its a conincidence, but alle these sites are either speedtestproviders  or ISPs


Any idea how I can debug this?

I already thought its an MTU issue and adjusted the MTU on the external site to the MTU of the Fortigate.


If I call an external MTU check ( i get a MTU of 1500 as a result.


The Fortigate tells me the MTU of the GRE Tunnel ist 1396. 


Could this be a pointer or is it a red hering?




Hi Kellermeister111,

Please share the packet capture for one non-working website from Fortigate.

# diag sniffer packet any "host <server IP address>" 6 0 a

New Contributor

No packets are arriving, the trace is empty.


I tried to debug this further:

I have one machine PC1 which is connected via the gre tunnel, and a second machine PC2 that connects directly.


on both machines I can ping eg. properly (this will show in the sniffer trace also)

if I make a ping with the size of 1472 it will fail on PC1 but will be rewarded on PC2


A ping test with no-defrag delivers different results:

PC1 has an maximum datasize of 1396 

PC2 has an (expected) maximum datasize of 1472


I assume now that the HTTP-request from PC1 will get a response with an MTU of 1500 and gets dropped on the GRE Tunnel with the MTU of 1414.


If a send data over the gre directly from the forti the gre tunnel works fine (probably the direct interface honors the mtu of the gre properly)


Please advise: do I understand the issue properly? how can I prove that this is really the issue? and how could I fix it (if its the issue).







Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors