Skip to main content
FortiNet_Newb
FortiNet_Newb
New Member
September 19, 2022
Question

Poor VPN Performance

  • September 19, 2022
  • 3 replies
  • 6390 views

We’ve got a FortiGate 101F running the latest FortiOS 7.2.1 and are experiencing poor VPN performance.  Clients are running the latest FortiClient 7.07.0345 pushed out by EMS.  The office has a solid 100 Mbps connection (both directions upload and download).  At home I’ve got a 300 Mbps Down/20 Mbps Upload internet connection.  Clients are running Windows 11.

 

I’ve been testing both IPSec and SSL VPN connections to the FortiGate and the results are dismal.  During testing I’m not applying any of the UTM security profiles to the traffic.  DNS is resolving fine while connected remotely and latency while connected remotely to the file server is about 32 ms, which doesn’t seem to bad (internally its < 1ms).  When I’m the only user in the office connected via VPN and copying files from the office to my client I’m getting the following results:

 

For SSL, I’m only averaging about 20 Mbps download.  I’ve already got DTLS enabled on both the FortiGate and Client.

 

For IPsec, surprisingly, the results are even worse.  I only average about 9 Mbps download.

I understand there should be some loss, but these results are terrible.  Anyone have some settings that I could try to help this out?

3 replies

FortiNet_Newb
FortiNet_NewbAuthor
New Member
September 19, 2022

I know this won't help IPSec, but how do I confirm that DTLS is working?  If I capture packets on the WAN interface originating from my remote clients IP address, I only see TCP Packets on port 443 and no UDP packets.

 

If I use the command diagnose debug application sslvpn -1, there is no mention of DTLS anywhere in those results.

 

Any insight would be appreciated.

gfleming
Staff
gfleming
Staff
September 19, 2022

Are you seeing any fragmentation in your pcap on the VPN client?

FortiNet_Newb
FortiNet_NewbAuthor
New Member
September 19, 2022

Looking at the pcap on the client, it looks like the "Don't fragment" flag is set on all of the TLSv1.3 traffic sent to the Fortigate and the Fragment Offset is 0 on all of the TCP packets sent back to the client.

FortiNet_Newb
FortiNet_NewbAuthor
New Member
September 20, 2022

DTLS is now working on our SSL VPN connection, performance is now where it should be.  With it working, I’m now seeing 85 Mbps instead of 20 Mbps.  UDP on port 443 was being blocked upstream from our office so it was defaulting back to TCP.  Once they allowed UDP on 443 to pass DTLS kicked in without issue.

 

 

I’ll look into our IPSec issue later this week as it seems to have resolved itself at the moment.  When they made the changes upstream for the SSL DTLS, for whatever reason our IPSec connection is now also seeing 85 Mbps download.  Not sure what changed, I’ll test again once there is more office traffic to inspect.

FortiNet_Newb
FortiNet_NewbAuthor
New Member
September 20, 2022

I may have jumped the gun in thinking DTLS was the answer.  With DTLS enabled (and now working) the internet speed tests (in full tunnel) went from 20 Mbps up to 85 Mbps, but this morning I was testing moving files across and with DTLS enabled the files are transferring to the client at around 12-14 Mbps, if I disable DTLS they transfer at @ 30-55 Mbps.  So while DTLS made a HUGE difference in a basic internet speed tests, ordinary file transfers between the LAN and remote client are MUCH slower.  I've gone back and disabled DTLS for now.

gfleming
Staff
gfleming
Staff
September 20, 2022

I wonder if you're just hitting limits with the SMB protocol. It does not handle latency very well. If you are running SMBv2 you can try tuning it or try running SMBv3 as it works a bit better with latency.

 

Before doing that, however, can you do some other speed testing methods? What about setting up iperf or some other mechanism to see what raw data transfer speeds look like over the VPN.

Terms & ConditionsAccessibility statement