This Article describes on fixing the traffic drops through an IPSEC tunnel from a FortiClient machine connected to a WiFi SSID on a FortiAP managed by a FortiGate equipped with an NP X series processing unit.
FortiGate.
66.27.202.25 76.81.80.242 174 ESP ESP (SPI=0xa93d90a3)[Malformed Packet]
There are two solutions to this problem. It is possible to either disable the CAPWAP-offload or alter the MTU size of the CAPWAP tunnel between the FortiAP and the FortiGate.
Follow the commands below to disable the CAPWAP-offloading function.
config system npu
set capwap-offload disable
end
Follow the commands below to make the changes on the FortiAP profile to implement this solution:
config wireless-controller wtp-profile
edit The-FAP-Profile
set ip-fragment-preventing tcp-mss-adjust
set tun-mtu-uplink 1200
set tun-mtu-downlink 1200
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.