?
Solved

troubleshooting incoming fragment being dropped for a vpn tunnel

Posted on 2014-11-09
2
Medium Priority
?
225 Views
Last Modified: 2014-11-13
hello we have a third party vpn w/2048bit cert (fortinet 60C) It is directly connected to our cable modem w/static ip.  
the vpn is able to send out packets to the other endpoint, broken into 1500bit and 254bit.  On the return trip, the third party tech advises us that the larger packet, 1500bit makes it back, however for unknown reasons the 254bit smaller packet gets dropped.

we can't admin the 60C. it's one of these bank/fed reserve connections. however we know that the 60C is setup at 1500MTU and the modem is also 1500MTU.  there is not device between the 60C and the modem, it goes direct to the modem as above. any thoughts as to what would not allow the 254bit packet back?  I've been troubleshooting with the ISP and getting nowhere. thinking we'll have to change the circuit?
0
Comment
Question by:cfgtechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
Predrag earned 2000 total points
ID: 40432385
Theoretically (since I don't know fortinet routers):
If your MTU is set to 1500bit and than send it to VPN - your packets become bigger than 1500bits.
Of course you are adding some encapsulation (create bigger packets than 1500bits), so packets are fragmented, and usually for security fragmentation is forbidden on routers.
On Cisco router MTU usually is set to 1492bits. Probably 60C or your router forbid fragmentation. Sometimes you should also adjust Maximum Segment Size to size (Cisco usual is 1452bits).

So after this adjustments MTU to be smaller size than 1500 to packets have size 1500bits when leaving your WAN interface.
Other way to repair this problem is to allow packet fragmentation on both routers.
0
 
LVL 2

Author Comment

by:cfgtechs
ID: 40433495
Predrag,

According to the vpn provider, the same setup has worked for thousands of installs. they advised that they are not allowed to change the MTU size on the fortinet. Can the ISPs' incoming router, i imagine it is the device that not allowing the security fragment because i dont have any other devices in front of the fortinet, can't they make an exception entry for our ip?
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question