Hot!Decrease size of Syslog & SNMP to avoid going over IPSEC MTU

Author
otterit
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/08 01:43:32
  • Status: offline
2020/06/08 01:54:00 (permalink) 6.0
0

Decrease size of Syslog & SNMP to avoid going over IPSEC MTU

Hi everyone,
 
I got a Fortigate 60E and I got an issue with the syslog (fortianalyser) & SNMP queries going over what the IPSEC tunnel can do.
 
I have Tx errors on the IPSec interface, which is usually due to MTU issues and that's exactly the case and the culprit are... the FortiGate itself that is sending SNMP & Syslog packets over the 1422 MTU the IPSec tunnel has.
 
The source IP is a Loopback.
 
I couldn't find a way to decrease the size of neither the Syslog or the SNMP messages in FortiOS 6.0.X. I've checked the CLI of 6.2.X but can't find a way either. You cannot set the MTU of a loopback and you can't set the size of the responses in the configuration, or at least I haven't found the setting yet.
 
Have you ever encountered this issue ? and how did you solve it ?
 
PS: I don't really want to set the set honor-df to disable as it will create more workload to reassemble everything.
#1

2 Replies Related Threads

    Patel
    New Member
    • Total Posts : 13
    • Scores: 2
    • Reward points: 0
    • Joined: 2020/05/10 04:04:40
    • Status: offline
    Re: Decrease size of Syslog & SNMP to avoid going over IPSEC MTU 2020/06/12 01:57:04 (permalink)
    0
    Hi,
     
    First, change the mode of syslog from UDP to TCP, 
     
    # config log syslogd setting
    # set mode reliable
    # end
     
    What I would suggest is that you can try to change the tcp mss value in the policy for the VPN traffic. Try matching the Syslog messages only in that policy for testing.
     
    # config firewall policy
    # edit <Policy ID>
    # set tcp-mss-sender 1000
    # set tcp-mss-receiver 1000
    # end
     
    Let me know if that works or not.
     
    Regards,
    Patel
     
    #2
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Decrease size of Syslog & SNMP to avoid going over IPSEC MTU 2020/06/12 06:18:48 (permalink)
    0
    tcp-mss adjustment would help on tcp traffic but I'm reliable surprise the fortianalyzer is not already using  tcp to begin with. On SNMP that's all UDP and I personally never seen a packet go over 1200 bytes.
     
     
    How you can test the maxsize is to walk the device and look at the packets
     
    e.g from a linux device with snmp-utility
     
    In one window
     
    snmpwalk -c "mystringforcommunity" -v2c x.x..x.x 
     
    In 2nd window
     
     tcpdump -nnnvv  -i eth0 host x.x.x.x and port 161 and greater  1200
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5