Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tim_86
New Contributor III

HELP - FortiOS 5.6 VxLAN encapsulation within IPsec - VLAN Trunking

Hi everybody,

 

I've got a question about vxlan, in FortiOS 5.6 I've found the following.

[ul]
  • FortiOS 5.4 VxLAN encapsulation within IPsec only supports forwarding untagged frames
  • Are tagged frames within the IPSEC/VXLAN supported in version 5.6? 
  • Kind regards,

    Tim

     

    [/ul]
  • 1 Solution
    emnoc
    Esteemed Contributor III

     I've tried different values(as low as 1300) but this doesn't seem to solve it. 

     

    Try adjusting the  tcp.mss in the policy or at a test host and see if any improvements happens. I would 1st take packet capture and validate the currrent  MSS value  in the SYN or SYN/ACK. I would also sue a ping  with DF set and test the  max size between two hosts over the  ipsec vxlan 

     

    i.e 

    { Windows iirc }

    ping  -m -s 1400  x.x.x.x

     

    {macosx }

    ping -D  -s 1400  x.x.x.x

     

    { linux }

     

    ping -M do -s 1400 x.x.x.x

     

    Ken

    PCNSE 

    NSE 

    StrongSwan  

    View solution in original post

    PCNSE NSE StrongSwan
    4 REPLIES 4
    tanr
    Valued Contributor II

    Per https://travelingpacket.com/2017/09/28/fortigate-vxlan-encapsulation/ vlan trunking over VXLAN works in 5.6.2 and later.  Haven't tried it myself though.

    Tim_86
    New Contributor III

    Hi,

     

    Thanks for your reply, I've installed FortiOS 6.0 and I can see the vlan tags go through the tunnel/vxlan.

    But I'm running into a major issue, the connection is incredibly slow. Internet pages load in about a minute and pings to the internet shows packet loss

    .

    The issue only exists when the traffic comes from a trunk, it works fine from a single vlan (accessport).

     

    This might be an issue with MTU or TCP MSS but I can't seem to pinpoint which value to change.

     

    The MTU on the interfaces? MSS on the IPSEC tunnel?

    I've tried different values(as low as 1300) but this doesn't seem to solve it. 

    We actually need both VLANS going through the IPSEC with VXLAN.

     

    Any idea?

     

    With kind regards,

    Tim

    emnoc
    Esteemed Contributor III

     I've tried different values(as low as 1300) but this doesn't seem to solve it. 

     

    Try adjusting the  tcp.mss in the policy or at a test host and see if any improvements happens. I would 1st take packet capture and validate the currrent  MSS value  in the SYN or SYN/ACK. I would also sue a ping  with DF set and test the  max size between two hosts over the  ipsec vxlan 

     

    i.e 

    { Windows iirc }

    ping  -m -s 1400  x.x.x.x

     

    {macosx }

    ping -D  -s 1400  x.x.x.x

     

    { linux }

     

    ping -M do -s 1400 x.x.x.x

     

    Ken

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    gangadar1234
    New Contributor

    yes it is, i have tested in the LAB  and  i see the firewall is passing the tags

    Labels
    Top Kudoed Authors