Skip to main content
goftari
goftari
New Member
March 6, 2013
Question

Slow web browsing performance

  • March 6, 2013
  • 3 replies
  • 9136 views
Here' s how my scenario looks like: We had a Mikrotik RB1000 as our network edge with two Internet connections (one through an IPIP tunnel [2 Mbps] which was replaced by a GRE tunnel as IPIP tunnel cannot be set on Fortigate and it supports GRE, and the other through a dedicated fiber which is connected to Mikrotik from a line terminal [1.5 Mbps]). When I configured load balancing on Mikrotik, I experienced faulty web performance, after searching Mikrotik forums I figured out it was a fragmentation problem which was fixed by changing TCP syn packages' MSS (Max Segment Size) larger than 1360 to 1360 in forward chain. Now we have replaced our Mikrotik RB1000 with a Fortigate 311B configured load balancing on those two Internet connections on Fortigate; We' re experiencing the same faulty web browsing performance; What should I do? I know it is possible to set tcp-mss on Fortigate interfaces and I' ve done that but it didn' t solve my problem. Setting tcp-mss is different from setting MSS for only tcp syn packages, isn' t it?

    3 replies

    rwpatterson
    rwpatterson
    New Member
    March 6, 2013
    ' Crappy' web browsing performance can be a result of several issues:
  • Check your WAN interface for duplex mismatch
    diag hard dev nic <port>
  • Check for fragmentation (as you already stated). From Windows:
    ping <internet host> -l <packet size> -f
    Start at 1500 (the max) and decrease until you find the largest size that fits through the pipe.
  • Check your DNS server. I used this app: DNS Benchmark from GRC Research. You' ll be amazed at how much a slow DNS server can affect the browsing experience...
    • goftari
    goftariAuthor
    New Member
    March 8, 2013
    Thanks for your prompt and accurate reply Bob! As declared here, I did set tcp-mss to 1440 on the GRE tunnel; so is it necessary to also set MTU to a smaller value? as I mentioned there is a boolean MTU-override option available on the GRE tunnel. should I reduce the MTU size on the interface through which the tunnel is established and set this option to true?
    rwpatterson
    rwpatterson
    New Member
    March 8, 2013
    I' m not sure, but it couldn' t hurt.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    March 11, 2013
    TCP-MSS = MTU - 40.
    goftari
    goftariAuthor
    New Member
    March 11, 2013
    I know the formula, but will it hurt not to conform to the formula? Do you suggest lowering the MTU value or increasing the MSS value? Thanks
    FortiRack_Eric
    FortiRack_Eric
    New Member
    March 11, 2013
    No, just as a matter of fact. You can use your line better with bigger packet sizes that' s all. cheers, Eric
    goftari
    goftariAuthor
    New Member
    March 11, 2013
    Thanks I took your advice. Now I have a MTU size of 1470 and TCP-MSS set to 1430
    Terms & ConditionsAccessibility statement