Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mtalaq
New Contributor

Fragmentation needed

 

I have setup a new phone system in my work place and configure it to work over the VPN tunnel. everything working fine except video call.I have checked the port matrix for the phone system and all are allowed. when I tried to sniff the packets using the wire shark I received a message from the fortigate 1240B "destination unreachable (fragmentation needed)".   Phone system MTU 

## VIDEO_PAYLOAD_LENGTH specifies the video packets payload length (bytes)

##  Valid values are 0, 1200 through 1460; where 0 means that the video packets payload length is calculated

##  according to MTU_SIZE parameter. If MTU_SIZE is 1500 bytes then video payload length will be:

##  1460 == 1500 Bytes (Ethernet) - 20 (IP) - 8 (UDP) - 12 (RTP). In similar way if MTU_SIZE is 1496 bytes

##  then video payload length will be: 1456.

##  The default value is 0.

##  This parameter is supported by:

##       H1xx SIP R1.0 and later

## SET VIDEO_PAYLOAD_LENGTH 1460

 

 

even when i tried "set honor-df disable" the system does not recognize it as built-in command.     Please advise me to resolve this issue.
6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

Looks like your phone system has capability to adjust payload length manually. Have you tried the payload length like 1360, which should be well shorter than the MTU over the tunnel?

mtalaq

toshiesumi wrote:

Looks like your phone system has capability to adjust payload length manually. Have you tried the payload length like 1360, which should be well shorter than the MTU over the tunnel?

 thanks for your replay.

 

there is no option to change the MTU size in the phone system

Toshi_Esumi
Esteemed Contributor III

Just try uncommenting the last commented-out lines and set like below:

 

SET VIDEO_PAYLOAD_LENGTH 1360  

mtalaq

toshiesumi wrote:

Just try uncommenting the last commented-out lines and set like below:

 

SET VIDEO_PAYLOAD_LENGTH 1360

 

 

there is no feature like set video_payload_length

this is only comment

please refer to the below reply which I got from Fortigate 1240B

Toshi_Esumi
Esteemed Contributor III

My guess is df bit on the packets are still on. And the FG has to drop. If you want to confirm you can sniff those packets in detail including IP header (opyion 2 and look for the 4th HEX block). But even if you could drop the df bit and could get them fragmented, the destination might not defragment or at least fragmenting all video stream packets would be daunting task for your FG. It might not work well even if it works. To me, only option is to set the video payload size short enough not to be fragmented.

Wait for what other people have to comment on your case. Meanwhile you should get support from your phone system provider.

rwpatterson
Valued Contributor III

mtalaq wrote:

toshiesumi wrote:

Just try uncommenting the last commented-out lines and set like below:

 

SET VIDEO_PAYLOAD_LENGTH 1360

 

 

there is no feature like set video_payload_length

this is only comment

I believe that the last line of the snippet you posted is commented, but if you remove the leading two hashes (##), it will then be a command to the phone system. At that point you should be able to adjust the payload length. You may need to restart the phone system process to reread that new configuration.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors