Troubleshoot IPsec VPN Tunnels, Packet size related

(2024-11-13)

To confirm errors are increasing on IPsec VPN interface(s), periodically issue one of the below commands:

A)

      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:337 errors:1 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0

B)

#diagnose netlink interface list <Phase 1 name>
stat: rxp=15172 txp=26662 rxb=2994702 txb=3515847 rxe=0 txe=0 rxd=0 txd=0 mc=6529 collision=0

FortiOS constructs the MTU to the remote peer based on PMTU calculations. MTU of an IPsec interface is not configurable. The final and most accurate calculation is only done when traffic is starting to traverse the tunnel interface. The MTU value can be seen via the command:

#diagnose vpn tunnel list name <Phase 1 name>