Solved

troubleshooting incoming fragment being dropped for a vpn tunnel

Posted on 2014-11-09
2
220 Views
Last Modified: 2014-11-13
hello we have a third party vpn w/2048bit cert (fortinet 60C) It is directly connected to our cable modem w/static ip.  
the vpn is able to send out packets to the other endpoint, broken into 1500bit and 254bit.  On the return trip, the third party tech advises us that the larger packet, 1500bit makes it back, however for unknown reasons the 254bit smaller packet gets dropped.

we can't admin the 60C. it's one of these bank/fed reserve connections. however we know that the 60C is setup at 1500MTU and the modem is also 1500MTU.  there is not device between the 60C and the modem, it goes direct to the modem as above. any thoughts as to what would not allow the 254bit packet back?  I've been troubleshooting with the ISP and getting nowhere. thinking we'll have to change the circuit?
0
Comment
Question by:cfgtechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40432385
Theoretically (since I don't know fortinet routers):
If your MTU is set to 1500bit and than send it to VPN - your packets become bigger than 1500bits.
Of course you are adding some encapsulation (create bigger packets than 1500bits), so packets are fragmented, and usually for security fragmentation is forbidden on routers.
On Cisco router MTU usually is set to 1492bits. Probably 60C or your router forbid fragmentation. Sometimes you should also adjust Maximum Segment Size to size (Cisco usual is 1452bits).

So after this adjustments MTU to be smaller size than 1500 to packets have size 1500bits when leaving your WAN interface.
Other way to repair this problem is to allow packet fragmentation on both routers.
0
 
LVL 2

Author Comment

by:cfgtechs
ID: 40433495
Predrag,

According to the vpn provider, the same setup has worked for thousands of installs. they advised that they are not allowed to change the MTU size on the fortinet. Can the ISPs' incoming router, i imagine it is the device that not allowing the security fragment because i dont have any other devices in front of the fortinet, can't they make an exception entry for our ip?
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question