Technical Tip: Websites may not load after FortiOS firmware upgrade to v7.0.0+, v7.2.0+ or v7.4.0+

Biraman · ‎08-13-2023

Description

This article describes issues that may arise after a firmware upgrade from 6.4.x to 7.0.x,7.2.x, or 7.4.x if the users are accessing public websites over IPsec VPN and a firewall policy is set to flow-based inspection mode with a UTM profile applied to it.

Following is an example of a Topology that may encounter the issue:

User ----Local FortiGate =========Site-to-Site IPSec============Remote FortiGate (Inspecting Traffic) ---------Internet------Webserver

The packet captures on the WAN side show FortiGate dropping Server Hello packets received from a web server and responding with ICMP control packets with the error code ‘Fragmentation needed’. If there is no UTM profiles set on the firewall policy, the same Server hello packets will pass through.

MTU settings on all involved interfaces are kept default and in this case, the MTU of the IPSec tunnel interface is 1420 bytes.

Scope

FortiOS 7.0.x, 7.2.x ,7.4.x Flow-based inspection for traffic transiting from IPSec Tunnel to WAN interface.

This issue is expected to be fixed in 7.2.6 and 7.4.1.

Solution

Following are the workarounds that can be used:

Change the Firewall inspection mode from Flow based to Proxy-based. This will resolve the issue as FortiGate will Handle TLS negotiation in 2 separate sessions:

config firewall policy
    edit <Policy ID>
        set inspection-mode proxy
   next
end

2. Manually increase the MTU of the IPSec tunnel to 1438 to avoid dropping packets due to Fragmentation:

config system interface
edit <name of IPSec Tunnel>
set mtu-override enable
set mtu 1438
end

3. Reduce the TCP MSS size at the Policy level so that the web server sends the Server hello with a smaller size.

config firewall policy
    edit <Policy ID>
        set tcp-mss-sender 1380
        set tcp-mss-receiver 1380
    next
end