5.4.10 MTU issues
We've got some sites running through IPsec VPNs that won't do pmtud, and ones far enough away give us some fragmentation issues now and then. The previous people before me had set an MTU override and mtu to 1250 on the wan ports for each firewall end. This seemed to have cleared up most issues. This was with Fortigate 620Bs, and now we just replaced one end with a 500E HA pair.
The first problem I had was CRC errors. Our fortigate hooks up to a Cisco switch, which then forwards it out to whichever VPN it needs to. I noticed we had tons of TCP retransmit errors, and looking at the switch it had tons of CRC errors on it. I tried a new switch, a new fortigate, new cables and the same exact results until I disabled MTU-override on the Fortigate VLAN interface. I also had the issue where I changed the MTU-override on my side and lost all connection on that port completely until I rebooted it. This happened multiple times.
Now we seemed to not have much trouble, but sites seem to randomly giving us the same issue now with TCP retransmit errors when people were trying to connect in. There are no switch errors but the only way we have been able to solve them is by setting the TCP-mss-send/receive on the right policy the PCs are coming through on the customer's end.
Is this possibly a bug? My security guys made this the newest allowed version I could put on so i'm working to get them to let me test a newer version.