Forum Discussion

Cirrostratus

Jan 22, 2025

ICMP (Fragmentation needed) Between Firewall and LTM

We have been working for a while with Fortinet about an issue between the firewall and the LTM (r10600 with tenant 15.1.9.1), this issue is causing a loop with some ICMP packets. The flow goes like ...

MVP

Jan 24, 2025

it seems the packet comes from fw to f5 with DF (dont fragment) bit flag enabled in IP header while f5 needs to fragment it before sending to client.
the df bit might not set by fw but by node in front of fw.

you can configure fortinet to respect/honor the df flag or not and see which one works in your network.

config system global
    set honor-df enable/disable  <- Enabled by default.

Abed_AL-R
Cirrostratus
Jan 24, 2025
Thank you.
The honor-df is indeed set to enable. I tried if disabling it help, but it did not.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

ICMP (Fragmentation needed) Between Firewall and LTM

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

4600 rSeries tenant resizing and HA Dependency

DOSl7 reset learning database voor automatic mode

vlan associated with 2 selfIP on different subnets

Ssl profile different in case of retry

smtp port vs 25 and pool member 587

Related Content

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Securing the LLM User Experience with an AI Firewall

Mitigate AI Scraping bots using F5 Distributed Cloud Web Application Firewall

Microservices – application fragments need application services

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS