I changed the MTU to 2000B (mtu-override) on wan1 port on a FG60D that connects to a FG1200D cluster with IPSEC. The config of the spoke is not changed. I did not expect anything to happen since I only changed one end, except maybe the IPSEC tunnel flapping. But after some seconds I suddenly got 1922B through with DF-bit set. So - IPSEC tunnel is apparently working.
Kind of weird, since the hub has no MTU config?
I use one phase1 and 5-6 phase2 per spoke, and have around 100 spokes. Another weird thing is that all other phase2 in this hub-and-spoke setup ALSO flapped. That is, changing MTU on ONE SPOKE tears down ALL TUNNELS? Can this be right?
Products Solutions Support Partners Threat Research Contact Us