Skip to main content
Smartypants
Smartypants
New Member
September 13, 2017
Question

900D to FGVM Throughput over 1GB P2P

  • September 13, 2017
  • 2 replies
  • 9924 views

I'm trying to find the root cause to a throughput problem between two Fortigate firewalls a HA pair of 900D's at the organizations main building and a remote data center.

With the help of several qualified engineers at the remote hosting site that hosts servers for 100's of customers two connections to the data center been provisioned. The primary is a 1GB AT&T P2P and for backup is IPsec VPN over a 500/500 Internet circuit.

Both circuits test as being fine; no interface configuration errors or latency problems and according to the ISP's the performance matches spec., but with that said neither circuit is usable to connect users in San Francisco to their data in a Irvine data center.

Both the 500/500 MB/s IPsec tunnel and the 1000 MB/s are unable to even come close to that promised performance having an asymmetrical throughput of about 112 MB/s IN and only 4.5 MB/s OUT.

I won't go into to all of the changes of SFP's, patch cables etc I've done trying to fix this but I will say the reason I'm convinced that the problem is local to the 900D and not somehow the remote data center is that I have a similar throughput problem between the 900D and the Office 365 cloud in that 20GB mailbox takes about 24-hours to transfer.

 

Is it possible that the Fortigate firewall is to blame?

 

Its primarily being used as a internal firewall separating two different user VLANs from four resource VLANs for PCI-DSS compliance so I have a ton of IP4 policies and use features like FSSO and I'm using many of the UTM firewall features were useful and the VLAN "routing" is happening on the 900D's.

Memory on the 900D's is around 60%

CPU on the 900D's is always less than 15%

 

I'm thinking that the firewall is overloaded is that possible and how do I test it to find out?

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 13, 2017

    I made the exactly same comment below at another thread about slow vpn issue:

    Check through the points I commented in the thread below: https://forum.fortinet.co...p;m=151196&mpage=1

    Smartypants
    SmartypantsAuthor
    New Member
    September 13, 2017

    Yes helpful and I did read this soon after it was posted. Thanks!

    Keep in mind that my IPsec VPN tunnel between the two Fortigate firewalls was over my ISP's 500/500 MB/s circuit but the fact that the 1GB P2P (different circuit and different ISP) was also having the same problem reduces most of the normal down to ether the Firewall or data-center.

    I try not to get to hung up with the Data-center being the cause because I have the same issue with Office 365.

    I opened a support ticket with Fortigate Support yesterday AM and as of today they haven't called me back but some-other engineers (not Fortigate) though that I might be overloading the 900D's.

    We only have a 200 users but we do I have a lot of IP4 Policies and UTM stuff going on.

    But getting only 65-112 MB/s one way and 4.5 MB/s the other over a 500/500 IPsec tunnel AND over a 1GB P2P is not good.

     

    BYW, speedtest.net I show 480/465 speed. If I use one of the other http5 tests that use larger data-sets the throughput drops dramatically.  

     

    emnoc
    emnoc
    New Member
    September 13, 2017

     

    do I have a lot of IP4 Policies and UTM stuff going on.

     

     

    what exactly?

     

    IMHO ( probably can't be done now ), you should really benchmark these b4 they are in production and carrying traffic

     

    iperf3/D-ITG for example  and a simple traffic flow  in/out out/in with and without a utmprofile. Than you have a baseline on the raw thruput.

     

    next, place two FGT back-2-back and set a simple IPSEC-tunnel, again iperf3/D-ITG for  packet generation and gather a benchmark with and|or withut utm profiles

     

    just my 2cts

     

    FWIW we have FGT900D running over 2-3gbps during the day, no UTMprofiles enabled, no ipsec/sslvpn. We are using 10GIGE interfaces only. It's a powerful box for sure.

     

    Ken

     

     

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    September 13, 2017

    By the way, 900D seems to have two NP6s for encryption/decryption acceleration just like our 1500Ds. That means other firewall features wouldn't affect much to vpn throughput as long as they're handed off to an NP6. Although I don't think it's the main factor for your situation right now because the number is way lower than any performance issues (I believe in significant packet loss somewhere), I want to point out that which port you use for in and out along the path encrypted/decrypted packets go through actually affect to the vpn performance especially under multi-vdom environment. We had to change our design to use only one NP6 (out of two) not to cause any handoff between NP6_0 to/from NP6_1 involving the CPU for the same packet.

    Check the documentation below for the 900D section and review your design if it's optimum.

    http://docs.fortinet.com/...re-acceleration-54.pdf

    Terms & ConditionsAccessibility statement