Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff

Created on ‎03-29-2024 02:14 AM

Article Id 307268

Technical Tip: VXLAN interface impact on software switch MTU and the possibility of it causing issue

Description This article describes how the software switch MTU changes dynamically as a parent to the added interface/s.
Scope FortiGate.
Solution

When a software switch is newly created and a member port/s has not been added to it, its MTU will be on the default size assigned by FortiOS. This MTU size can be verified with below cmd:

 

diagnose netlink interface list <software_switch_name>

diagnose netlink interface list sw1   <--

 

if=sw1 family=00 type=1 index=26 mtu=1500 link=0 master=0    <-- Default MTU of software switch.

 

Let’s assume a VXLAN interface with an MTU of 1370 is then added to the software switch, the switch will automatically adjust its MTU to meet with the VXLAN's.

 

In general, the software switch adopts the lowest MTU of any of its member ports.

 

Here is the software switch MTU before and after adding the VXLAN interface, as an example.

 

  1. MTU of VXLAN interface (1370):

diagnose netlink interface list vxlan

if=vxlan family=00 type=1 index=24 mtu=1370 link=0 master=0

ref=10 state=start present fw_flags=0 flags=up broadcast run multicast

 

  1. MTU of software switch before and after adding VXLAN interface to it (changed from 1500 --> 1370).

     

    diagnose netlink interface list sw1

    if=sw1 family=00 type=1 index=26 mtu=1500 link=0 master=0   <-- Before.

    ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast

     

    diagnose netlink interface list sw1

    if=sw1 family=00 type=1 index=26 mtu=1370 link=0 master=0  <-- After.

    ref=12 state=start present fw_flags=0 flags=up broadcast run multicast

     

This behavior could cause an issue, for instance, if the network has a software switch configured with VLAN or physical ports assigned to it and it has been functioning for a long/some time but starts having issues after adding a new member or interface to it, the MTU of the software switch need to be checked.

If the software switch MTU has changed to something lower, this is likely the cause of the issue.

If it is not within the design reach to remove the newly added member, i.e. the newly added member (VXLAN or other type of interface) has to be in the software switch, then:

  1. Adjust the MTU size of traffic coming from the user (client) to match the software switch MTU.
  2. If possible ensure the DF bit on the packets coming from the users (client) are set to 0 (off).
  3. Disable 'honor-df' on the FortiGate.  It is enabled by default.

 

After these changes, the application/s should be fine again.
150
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.