Created on 05-04-2006 12:00 AM
Description | When browsing the Internet, some sites are not viewable. |
Components |
|
Steps or Commands | Problem: Certain web sites are not viewable. The Fortigate is configured to use PPPoE to connect to the ISP. Solution:Use the "tcp-mss-sender" option in the firewall policy configuration. Topology: HTTP Client----(internal)FGT(pppoe)----dsl----ISP----Internet----Web Server The reason for this is that a PPPoE frame takes an extra eight bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider's router either does not send an 'ICMP fragmentation needed' packet or the packet gets dropped along the path to the web server. In either case, the web server never knows a fragmentation is required to reach the client. After you configure 'set tcp-mss-sender' on the firewall policy setting, this command changes the incoming packets and sends the packets with a new TCP MSS (maximum sending size) value out the downstream (external) interface. By default the MSS is MTU minus 40 byes (TCP and IP headers). When the HTTP client initiates a TCP connection, the following example changes the MSS value from 1460 to 1452 when leaving the PPPoE interface and eventually reaches the web server. The web server will also choose the smaller MSS, and therefore no fragmentation is needed. The client can now view web pages properly. config firewall policy Alternatively, you can also edit the option on the internal interface(s) of the FortiGate unit rather than individual firewall policies. For example:
config system interface The <port_name> can be replaced by any internal-facing port. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.