?
Solved

troubleshooting incoming fragment being dropped for a vpn tunnel

Posted on 2014-11-09
2
Medium Priority
?
230 Views
Last Modified: 2014-11-13
hello we have a third party vpn w/2048bit cert (fortinet 60C) It is directly connected to our cable modem w/static ip.  
the vpn is able to send out packets to the other endpoint, broken into 1500bit and 254bit.  On the return trip, the third party tech advises us that the larger packet, 1500bit makes it back, however for unknown reasons the 254bit smaller packet gets dropped.

we can't admin the 60C. it's one of these bank/fed reserve connections. however we know that the 60C is setup at 1500MTU and the modem is also 1500MTU.  there is not device between the 60C and the modem, it goes direct to the modem as above. any thoughts as to what would not allow the 254bit packet back?  I've been troubleshooting with the ISP and getting nowhere. thinking we'll have to change the circuit?
0
Comment
Question by:cfgtechs
2 Comments
 
LVL 32

Accepted Solution

by:
Predrag earned 2000 total points
ID: 40432385
Theoretically (since I don't know fortinet routers):
If your MTU is set to 1500bit and than send it to VPN - your packets become bigger than 1500bits.
Of course you are adding some encapsulation (create bigger packets than 1500bits), so packets are fragmented, and usually for security fragmentation is forbidden on routers.
On Cisco router MTU usually is set to 1492bits. Probably 60C or your router forbid fragmentation. Sometimes you should also adjust Maximum Segment Size to size (Cisco usual is 1452bits).

So after this adjustments MTU to be smaller size than 1500 to packets have size 1500bits when leaving your WAN interface.
Other way to repair this problem is to allow packet fragmentation on both routers.
0
 
LVL 2

Author Comment

by:cfgtechs
ID: 40433495
Predrag,

According to the vpn provider, the same setup has worked for thousands of installs. they advised that they are not allowed to change the MTU size on the fortinet. Can the ISPs' incoming router, i imagine it is the device that not allowing the security fragment because i dont have any other devices in front of the fortinet, can't they make an exception entry for our ip?
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question