Dear ALL,
My company move to new place recently, assume new office is site A, web server is site B, and everything are same except two new fd200d(copy setting from 140d) but now we cant access to our web server anymore.
I checked ipsec tunnel mtu is 1438, our desktop is 1500, and wireshark shows tcp fragment,
I try to set desktop mtu to 1420 and it works.
Question is
1.Is there any different between 140d and 200d? (same setting but new mtu problem in new office)
2.My boss dont want to change desktop mtu and specify tunnel mtu, any other option?
Many thanks.
What version of FortiOS were/are they running? Earlier version for 5.4 had some fragmentation issues.
Don't change the desktop(s) MTU, just uses the set tcp-mss in the firewall policies for the traffic from desktop 2 webserver(s)
http://socpuppet.blogspot.com/2013/05/tcp-mss-adjusment-fortigate-style.html
NOTE: that only helps on tcp-based traffic
Ken
PCNSE
NSE
StrongSwan
TO Toshi Esumi : v5.2.13,build762 (GA)
Thank you for answer my question, I found out what is going on.....
I turned off "Avast Free Antivirus Web Shield" , with MTU 1500 on desktop and didn't change anything on 200d,
no more fragment in Wireshark, I can access web server successfully.
It really weird that avast worked just fine at old office, but now looks like avast will check MTU size???
OR it just 200d vpn ipsec tunnel setting is very different than 140d?
This is tunnel setting in 200d
--------------------------
config vpn ipsec phase1-interface edit "SITE B" set interface "vlan103" set ike-version 2 set keylife 172800 set proposal aes256-sha256 set dhgrp 14 set remote-gw XXXXX set psksecret XXXXX next end
--------------------------
Thanks for reading this, please help if you have some kind of experience , thank you once again.
Have you tried 140D at the new place with the new circuit? The tunnel mtu size 1438 is simply decided by the MTU size on the outgoing interface (default 1500). So nothing would change even if you swap the current 200D to 140D. Nothing in IPSec(IKEv1) config can influence to the tunnel mtu size either. And I'm not the person who can tell why antivirus has anything to do with the symptom.
But if HTTP/HTTPS, TCP-MSS adjustment emnoc suggested is the most reliable way to set download packet size lower before leaving the web server. I didn't know it could be done at policy level until he mentioned. I always did it at interfaces. In below discussion ashukla_FTNT explained how those tcp-mss-sender and -receiver parameters would work in TCP handshake.
https://forum.fortinet.com/tm.aspx?m=120033
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.