Solved

troubleshooting incoming fragment being dropped for a vpn tunnel

Posted on 2014-11-09
2
209 Views
Last Modified: 2014-11-13
hello we have a third party vpn w/2048bit cert (fortinet 60C) It is directly connected to our cable modem w/static ip.  
the vpn is able to send out packets to the other endpoint, broken into 1500bit and 254bit.  On the return trip, the third party tech advises us that the larger packet, 1500bit makes it back, however for unknown reasons the 254bit smaller packet gets dropped.

we can't admin the 60C. it's one of these bank/fed reserve connections. however we know that the 60C is setup at 1500MTU and the modem is also 1500MTU.  there is not device between the 60C and the modem, it goes direct to the modem as above. any thoughts as to what would not allow the 254bit packet back?  I've been troubleshooting with the ISP and getting nowhere. thinking we'll have to change the circuit?
0
Comment
Question by:cfgtechs
2 Comments
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40432385
Theoretically (since I don't know fortinet routers):
If your MTU is set to 1500bit and than send it to VPN - your packets become bigger than 1500bits.
Of course you are adding some encapsulation (create bigger packets than 1500bits), so packets are fragmented, and usually for security fragmentation is forbidden on routers.
On Cisco router MTU usually is set to 1492bits. Probably 60C or your router forbid fragmentation. Sometimes you should also adjust Maximum Segment Size to size (Cisco usual is 1452bits).

So after this adjustments MTU to be smaller size than 1500 to packets have size 1500bits when leaving your WAN interface.
Other way to repair this problem is to allow packet fragmentation on both routers.
0
 
LVL 2

Author Comment

by:cfgtechs
ID: 40433495
Predrag,

According to the vpn provider, the same setup has worked for thousands of installs. they advised that they are not allowed to change the MTU size on the fortinet. Can the ISPs' incoming router, i imagine it is the device that not allowing the security fragment because i dont have any other devices in front of the fortinet, can't they make an exception entry for our ip?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now