Skip to main content
tom_maz
tom_maz
New Member
February 15, 2018
Question

Slow VPN throughput

  • February 15, 2018
  • 1 reply
  • 12108 views

We have a large global network consisting of various FortiGate models. Most of what we have today are 80C and higher, but our new small office model is the 100E. Larger offices have 300Ds or 500Ds. Most devices currently run 5.4.5, but soon to be 5.4.8.

 

When it comes to VPN traffic, the main bandwidth consuming application is Windows file sharing (CIFS/SMB). When testing over tunnels that are 100Mbps fiber on each end, we can get max 20-25Mbps throughput. Yet, if we run an iPerf test, we get close to 50Mbps. We are using AES256/SHA256 encryption. We've tried with/without NPU off-loading, with/without UTM (IPS & AV), and the 20-25Mbps is the best scenario.

 

I see posts from other companies who are having this problem (examples below). Has anyone had a similar issue and been able to find ways to improve performance?

 

https://forum.fortinet.com/tm.aspx?m=144639

 

https://forum.fortinet.com/tm.aspx?m=143253

(this is for SSL VPN, which we also use on a 300D and have poor performance on as well)

1 reply

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 16, 2018

One thing for sure is NPU on or off affects to the numbers you see in iperf test. As long as NPU off load is on the level of encryption wouldn't change much because that part is processed by NPU chip.

When picking one pair of locations, did you compare iperf test results between over the tunnel and outside of the tunnel(public IP to public IP) to have the base number for the internet path, which dictates the overall performance in our test experiences?

SSL VPN must be quite different because it goes through TCP and application layer on the client devices, instead of just L3. We don't have any comprehensive test done so far.

ericli_FTNT
Staff
ericli_FTNT
Staff
February 16, 2018

When enabled UTM along with encryption, CP would engage to improve performance if it (CP) was available.

Please check the inspection mode of your UTM profile first. Then check "diag test app ipsmonitor xx" for N-Turbo acceleration.

ede_pfau
SuperUser
ede_pfau
SuperUser
February 17, 2018

Some thoughts on this:

- CIFS is not AV scanned until FOS v6.0 so you can safely not apply for this kind of traffic. You can easily separate CIFS through different policies. IPS might be a good idea though.

- 50% throughput in comparison to other TCP file transfer protocols is not a surprise for the CIFS protocol

- offloading to NPU would not primarily affect throughput but CPU load. As soon as the CPU load gets too high, throughput will suffer. So to see an effect of this you need to plan the setup carefully.

 

Terms & ConditionsAccessibility statement