Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kellermeister111
New Contributor

broken websites over Tunnel

Fortigate on FIrmware 7.2.3

 

I have a mikrotik router connecting to a Fortigate 200HA-Cluster via IPSEC.

The externalSite has multiple Subnets, so a GRE Tunnel (over the IPSEC) connects from the Mikrotikrouter to handle the routingrules on the mikrotikside. 

 

I have firewallrules, allowing access to different subnet on the externalSite.

 

One Subnet on the external side should now use the WAN from the mainsite.

I am routing the 0.0.0.0 via the GREoverIPSEC-Tunnel to the Forti and then make a NAT.

 

This works fine MOSTLY. Latency, performance, etc. everything is fine.

Youtube.com (and nearly every other website i tested) works fine.

BUT: a group of specific websites doesnt open at all, i get a timeout.

 

So opening up eg speedtest.net, www.telekom.de oder www.a1.net is not possible.

Maybe its a conincidence, but alle these sites are either speedtestproviders  or ISPs

 

Any idea how I can debug this?

I already thought its an MTU issue and adjusted the MTU on the external site to the MTU of the Fortigate.

 

If I call an external MTU check (LetMeCheck.it) i get a MTU of 1500 as a result.

 

The Fortigate tells me the MTU of the GRE Tunnel ist 1396. 

 

Could this be a pointer or is it a red hering?

 

 

2 REPLIES 2
pbangari
Staff
Staff

Hi Kellermeister111,

Please share the packet capture for one non-working website from Fortigate.

# diag sniffer packet any "host <server IP address>" 6 0 a

Kellermeister111
New Contributor

No packets are arriving, the trace is empty.

 

I tried to debug this further:

I have one machine PC1 which is connected via the gre tunnel, and a second machine PC2 that connects directly.

 

on both machines I can ping eg. speedtest.net properly (this will show in the sniffer trace also)

if I make a ping with the size of 1472 it will fail on PC1 but will be rewarded on PC2

 

A ping test with no-defrag delivers different results:

PC1 has an maximum datasize of 1396 

PC2 has an (expected) maximum datasize of 1472

 

I assume now that the HTTP-request from PC1 will get a response with an MTU of 1500 and gets dropped on the GRE Tunnel with the MTU of 1414.

 

If a send data over the gre directly from the forti the gre tunnel works fine (probably the direct interface honors the mtu of the gre properly)

 

Please advise: do I understand the issue properly? how can I prove that this is really the issue? and how could I fix it (if its the issue).

 

thx

Gerhard

 

 

Top Kudoed Authors