Description
This Article describes on fixing the traffic drops through an IPSEC tunnel from a FortiClient machine connected to a WiFi SSID on a FortiAP managed by a FortiGate equipped with an NP X series processing unit.
Scope
FortiGate.
- PC-1 is connected via IPSEC tunnel to FortiGate-2 to access SERVER (FILE/PRINT/etc)
- PC-1 builds the IPSEC tunnel through a Wifi SSID(tunnel/bridge) through Forti-AP managed by FortiGate-1 equipped with an NP X series processor.
- When PC-1 tries to reach out to the server to transfer files/load data, packet drops/unable to load data is observed.
- When a packet capture for the ESP packet is taken at the FortiGate SSID interface, Malformed ESP packets/Fragmented packets are seen:
66.27.202.25 76.81.80.242 174 ESP ESP (SPI=0xa93d90a3)[Malformed Packet]
- Since the NPx FortiGate’s CAPWAP-offloading function can not process fragmented packets, fragments/Malformed ESP are discarded causing issues in data transfer and loading applications.
Solution
There are two solutions to this problem. It is possible to either disable the CAPWAP-offload or alter the MTU size of the CAPWAP tunnel between the FortiAP and the FortiGate.
- Disable the CAPWAP-OFFLOAD feature in the FortiGate-1 so that the traffic from the FortiAP is processed by the CPU that can handle the fragmented packets. By default, managed FortiAP and FortiLink CAPWAP sessions are offloaded to the NP6 or NP6XLite ASICs.
Follow the commands below to disable the CAPWAP-offloading function.
config system npu
set capwap-offload disable
end
- The MTU size for the CAPWAP tunnel between the FortiAP and the FortiGate can also be altered to stop the fragmentation from happening so that no fragmented packets hit the NP x processor and drops are not experienced.
Follow the commands below to make the changes on the FortiAP profile to implement this solution:
config wireless-controller wtp-profile
edit The-FAP-Profile
set ip-fragment-preventing tcp-mss-adjust
set tun-mtu-uplink 1200
set tun-mtu-downlink 1200
end
