Troubleshooting Tip: Error 'SSL-VPN slow file transfer issue'
| Description | This article describes how to troubleshoot the slow file transfer issue with the SSL VPN connection. |
| Scope | FortiGate, FortiClient. |
| Solution | After verifying the compatibility between FortiGate and FortiClient, look at some recommendations to improve file transfer when connected to SSL VPN:
On FortiGate:
config vpn ssl settings
On FortiClient:
If the Preferred DTLS option is greyed out and unable to enable the checkbox, the lock icon (highlighted) needs to be selected to unlock the settings. After unlocking the settings, the Preferred DTLS Tunnel option should be able to select.
When FortiClient is managed by FortiClient EMS, the DTLS option cannot be enabled directly on the FortiClient console. Changes need to be pushed by the administrator from FortiClient EMS: Technical Tip: How to enable DTLS option from FortiClient EMS.
If the user(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.
config firewall policy edit (id) set auto-asic-offload disable end
All the iPerf tests will be performed using an internal server as the iPerf server, which will be used for file transfer.
Try to generate traffic using parallel sessions to the server using the following command:
iperf3 -c x.x.x.x -P 10
Here, P stands for --parallel # number of parallel client streams to run.
Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:
iperf3 -c x.x.x.x -w 8KB iperf3 -c x.x.x.x -w 64KB iperf3 -c x.x.x.x -w 8MB iperf3 -c x.x.x.x -w 16MB
Here, w stands for --window #[KMG] TCP window size (socket buffer size).
To circumvent TCP limitations on the client host, it is possible to try the UDP test with the desired bandwidth using the following command:
Iperf3 -c x.x.x.x -u -b 50M
Here 'u' stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).
config vpn ssl settings set ssl-min-proto-ver tls1-1 end
Disconnect from the VPN, shut down the FortiClient application, open it, and connect to the VPN again.
config firewall policy edit (id) set tcp-mss-sender <> set tcp-mss-receiver <> end
Note: Depending on the privileges the PC user has, it may be necessary to open the Command Prompt in Administrator Mode.
C:\Windows\System32>netsh interface ipv4 show subinterface
C:\Windows\System32>netsh interface ipv4 set subinterface “interface_name or index” mtu=<value> store=persistent
After changing the value, restart the machine. Revert the change if it is not making any impact.
config vpn ssl settings set port <port-number> end
On FortiClient: Change the customized port to match.
If the above steps do not make any improvement, the following counters and interface stats can be collected to investigate further.
FortiGate # fnsysctl ifconfig ssl.root Note: A few TX drops is expected. When the tunnel is torn down, the server/peer side may briefly continue to send traffic, and those packets will be dropped by FortiGate and counted as TX drops.
FortiGate # diagnose vpn ssl mux-stat
If the 'queue dropped' counter is increasing continuously while doing a transfer, it indicates slowness in SSL VPN performance. If there is DTLS enabled:
dtls found = 65747132
The DTLS-enabled VPN may observe the above errors, which usually indicate packet corruption, fragmentation, or network instability, which can reduce throughput.
fnsysctl killall sslvpnd
Note: Restarting the SSL VPN daemon will disconnect the users currently connected.
Related articles: Troubleshooting Tip: SSL VPN Troubleshooting Technical Tip: FortiGate SSL VPN best practices guide Technical Tip: SSL VPN with external DHCP Server Technical Tip: Reasons for the 'iprope_in_check() failed' error in SSL VPN Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’ |
