| Description | This article explains the expected behavior for observing a TCP Retransmission packet on Wireshark when a packet comes into FortiGate via the LAN interface and exits to the GRE Tunnel. |
| Scope | FortiGate. |
| Solution |
Topology: Client -- SW -- Local FortiGate --GRE Tunnel-- Remote FGT/L3 device -- Internet/Remote subnet
In the above topology, clients access the Internet and remote subnet via the GRE Tunnel built between the Local FortiGate and the Remote FGT/L3 device.
When the packet sniffer is configured on the Local FortiGate, TCP Retransmission is observed and it happens for all of the packets:
This is expected as the packet from the client reaches the FortiGate via LAN interfaces and is then forwarded to the GRE tunnel. Inspecting the link-layer information would clarify the respective and it is observed that the switch is sending the source for frame 1:
In the next frame, it is observed that the link-layer address type changes from Ethernet to GRE over IP:
The packet was not being retransmitted, it was being received from the LAN interface and being forwarded to the GRE Tunnel interface. This is an expected result in Wireshark. |
