Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gbollinger
New Contributor

TCP MSS - Apply to Interface or Policy

Should I apply the tcp mss / tcp sender or receiver commands to the interface or policy or both?

 

What is best practice?

7 REPLIES 7
gfleming
Staff
Staff

What are you trying to accomplish?

Cheers,
Graham
gbollinger
New Contributor

I'm trying to limit packet fragmentation (TCP and UDP) for traffic originating from behind the FW and for the VPNs (SSL and IPSEC) logically connecting to it. I'm not sure whether its best to apply the TSP MSS size adjustment on the FW interfaces or Policies or both and whether lowering the WAN/VPN Tunnel interfaces to a lower MTU with PMTU discovery enabled on the FW. 

gfleming

So you need to determine why you are getting fragmentation in the first place and address it in the correct spot. If all traffic is fragmented you likely need a more global setting like on your WAN interface. If it's just VPN traffic then setting mtu and mss on the VPN interfaces would be ideal and all you need to do. Setting it at the policy level works but doesn't work when people forget to set it when creating new policies, for example. It also only works for mss and not mtu (so non-TCP traffic may still get fragmented).

 

Some more reading here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/596096/interface-mtu-packet-...

Cheers,
Graham
gbollinger

The true area of concern is the IPSEC VPN. Do you recommend setting both TCP MSS to 1360 and MTU to 1400 at the virtual interface and the appropriate policies? This way all the tunnel and all UDP or TCP traffic within it are not fragmented? Leave the WAN interface at MTU 1500 and all other MSS as normal for all other traffic?

gfleming

Indeed. If you are having issues with fragmentation over the IPSec VPN only then manually set the IPSec interface MTU to 1400 and TCP MSS to 1360 and that should be all you need to do. You do not need to edit the policies as the interface settings will take precedence.

Cheers,
Graham
gbollinger

Additional question.... SSL VPN. Does the MTU or MSS need to be adjusted for it?

gfleming

That's a good question. Intuitively I will say no unless you are having issues with TCP/IP fragmentation out of your WAN interface. i.e. if regular HTTPS traffic is being fragmented then you probably need to set your MTU/MSS on your WAN interface as well.

Cheers,
Graham