Description | This article explains the expected behavior for observing a TCP Retransmission packet on Wireshark when a packet comes into FortiGate via the LAN interface and exits to the GRE Tunnel. |
Scope | FortiGate. |
Solution |
Topology: Client -- SW -- Local FortiGate --GRE Tunnel-- Remote FGT/L3 device -- Internet/Remote subnet
In the above topology, clients access the Internet and remote subnet via the GRE Tunnel built between the Local FortiGate and the Remote FGT/L3 device.
When the packet sniffer is configured on the Local FortiGate, TCP Retransmission is observed and it happens for all of the packets:
This is expected as the packet from the client reaches the FortiGate via LAN interfaces and is then forwarded to the GRE tunnel. Inspecting the link-layer information would clarify the respective and it is observed that the switch is sending the source for frame 1:
In the next frame, it is observed that the link-layer address type changes from Ethernet to GRE over IP:
The packet was not being retransmitted, it was being received from the LAN interface and being forwarded to the GRE Tunnel interface. This is an expected result in Wireshark. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.