Fortigate TCP MSS
Posted by on April 21, 2014
The maximum segment size (MSS) is the largest amount of data, specified in bytes, that a device can handle in a single non-fragmented piece. The MSS is essential in internet connections especially web surfing.
I once had a very crazy issue, where I could surf to almost all http websites, but many https sites such as USPS.com, hotmail.com would not work. The header would come up, look like its working and .. nothing. After a few packet captures I noticed that it was fragmenting some of the https packets coming in. The crazy thing is many websites worked perfect.
To troubleshoot I put a Cisco PIX I had laying around into production to replace the Fortigate. Everything worked no problem.
So after many hours researching, I changed the TCP-MSS to 1360 and boom, no issues. I asked Fortinet support why this was happening in contrast to the Cisco PIX. They said that the cisco will automatically change its settings (I have not researched) but the Fortinet will not. Go figure.
So if you hear problems like : Can’t get to HTTPS sites , USPS will not load, Browser loads certificate but site does not come up. Check these commands:
In MR4:
config system interface
edit port X
set tcp-mss-sender 1360
set tcp-mss-receiver 1360
end
MR5:
config system interface
edit port X
set tcp-mss 1350
Great blog. I ran into the same issue when I noticed that the most visited sites were not working on our remote sites. I found the tcp-mss 1492 entry on the internal ports on the affected sites. My sites that were not affected had tcp-mss set to 0. The only reason I can think of why this would happen would be happening would be due to tcp windowing increasing the packet size on those frequently visited sites.