Fortigate on FIrmware 7.2.3
I have a mikrotik router connecting to a Fortigate 200HA-Cluster via IPSEC.
The externalSite has multiple Subnets, so a GRE Tunnel (over the IPSEC) connects from the Mikrotikrouter to handle the routingrules on the mikrotikside.
I have firewallrules, allowing access to different subnet on the externalSite.
One Subnet on the external side should now use the WAN from the mainsite.
I am routing the 0.0.0.0 via the GREoverIPSEC-Tunnel to the Forti and then make a NAT.
This works fine MOSTLY. Latency, performance, etc. everything is fine.
Youtube.com (and nearly every other website i tested) works fine.
BUT: a group of specific websites doesnt open at all, i get a timeout.
So opening up eg speedtest.net, www.telekom.de oder www.a1.net is not possible.
Maybe its a conincidence, but alle these sites are either speedtestproviders or ISPs
Any idea how I can debug this?
I already thought its an MTU issue and adjusted the MTU on the external site to the MTU of the Fortigate.
If I call an external MTU check (LetMeCheck.it) i get a MTU of 1500 as a result.
The Fortigate tells me the MTU of the GRE Tunnel ist 1396.
Could this be a pointer or is it a red hering?
Please share the packet capture for one non-working website from Fortigate.
# diag sniffer packet any "host <server IP address>" 6 0 a
No packets are arriving, the trace is empty.
I tried to debug this further:
I have one machine PC1 which is connected via the gre tunnel, and a second machine PC2 that connects directly.
on both machines I can ping eg. speedtest.net properly (this will show in the sniffer trace also)
if I make a ping with the size of 1472 it will fail on PC1 but will be rewarded on PC2
A ping test with no-defrag delivers different results:
PC1 has an maximum datasize of 1396
PC2 has an (expected) maximum datasize of 1472
I assume now that the HTTP-request from PC1 will get a response with an MTU of 1500 and gets dropped on the GRE Tunnel with the MTU of 1414.
If a send data over the gre directly from the forti the gre tunnel works fine (probably the direct interface honors the mtu of the gre properly)
Please advise: do I understand the issue properly? how can I prove that this is really the issue? and how could I fix it (if its the issue).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.