Greetings Forti Community,
I use a web application that I reach on a IP address in my company network over IPsec VPN.
It appears that the application sends a HTTP POST request to the server that can't get through the VPN tunnel, because the package is to big.
After I change my client VPN network interface to MTU 1350, it can send the package and the access works. I change it with the following command:
netsh interface ipv4 set subinterface "Ethernet 3" mtu=1350 store=persistent
After that I've tried to set the MTU of the VPN IPsec Tunnel to 1350 and restart my client, I still couldn't access the web application. I've also tried different MTU values on the Firewall, but it didn't really change anything. Only if I do it on the client per command line.
If I restart my client and start the FortiClient VPN, it seems that this resets my MTU on my client VPN network interface. So I'd have to execute the command to change my client MTU every time after I start the FortiClient.
Does anyone know how to set the MTU for the FortiClient, so my network interface always get the correct value, or how to get this to work on the Firewall?
Thank you very much for your help in advance!
Best,
Gary
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm not seeing any way to adjust this automatically in the FortiClient unfortunately.
You may be able to adjust the TCP-MSS value in the SSLVPN's Firewall Policy instead.
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
I'm not seeing any way to adjust this automatically in the FortiClient unfortunately.
You may be able to adjust the TCP-MSS value in the SSLVPN's Firewall Policy instead.
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
Thanks for this! But my VPN Tunnel is IPSec. It seems that I don't have the option to edit the MSS value there, am I correct?
Read the KB @johnathan posted. The MSS adjustment is done at the policies handling IPSec traffic. Not at the interface.
Toshi
Thanks for the heads up! I got it wrong first.
Thank you very much, this solved the problem! :)
Hi, it can also be done on the interface level, as shown in the article below
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.