Skip to main content
bashrael
bashrael
New Member
July 28, 2017
Question

unstable/slow ipsec vpn connection

  • July 28, 2017
  • 1 reply
  • 22307 views

Hi.

I have a FG 100D. It was on fortios 5.4.1 but fortinet support advised me to upgrade to the latest build 5.6.1

So 5.6.1 we are now.

 

I created a new forticlient ipsec  test tunnel with the wizard.  No UTM are aplied on the policies used.

This tunnel works but when I copy files over this tunnel the connection is slow and unstable.

I have a 250/30 internet connection but downloading a file from the file server at the remote location is very slow (5mbit).

 

So can anyone help me to solve this problem?

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 28, 2017

    There is no silver bullet to pin-point this type of performance issue easily so I'll through out some things you need to consider when you troubleshoot like this.

    [ul]
  • most often very poor performance/speed comes from ethernet duplex mismatch somewhere between the FW and the local device/PC/Server. Check it at all interfaces along the path, on both client and server end.
  • If no duplex mismatch all the way, the next thing you need to rule out is the internet path(s) between the client side and the server side the IPSec vpn goes through. Compare continuous pinging end-to-end through the tunnel and public-to-public between those FWs outside the tunnel, then trace-route from both ends toward the other end if you see some intermittent drops. It might explain "unstable" portion of the symptoms. Often packet drops happen at a hand-off between internet vendors, like comcast-to-Level3, centurylink-to-Cogent, and so on when they over aggregate traffic.
  • Along with the ping test above, run internet speedtests, like speedtest.net picking a closest test server on the opposite side, like if you're between Denver and Dallas, test at Denver by choosing speedtest.net's one of Dallas servers. If you can find your ISP at Dallas in the server list, that would be ideal.
  • Download speed at one end is decided by upload speed on the other end when you do end-to-end file transfer, which you're probably aware of. If the server location also has 250/30 circuit, the download speed never go beyond 30Mbps.
  • Lastly Windows TCP/IP protocol stack's window size comes in a factor if you're testing between windows machines. You might need to adjust them. You can find some articles if you google it. Ideally you want to test with something like iperf servers running on Linux machines, which provides an UDP test option.[/ul]

     

    The bottom line is FortiGate's VPN itself is unlikely the cause. We dealt with many cases like yours for our customers. Most of them are the first one or the second issue. Good luck!

    • bashrael
    bashraelAuthor
    New Member
    July 29, 2017

    hi thanks for all the suggestions.

     

    I started with your remark 'The bottom line is FortiGate's VPN itself is unlikely the cause'

    So i setup a simple ftp server, forwarded a port and tested the speed without vpn.

    And the speed is the same as I get with vpn.

    So it's no VPN issue.

    It's also no SMB issue as I have the same result with FTP.

     

    I also tested the speed to another server on the remote network.  Same speed so it's no problem with the remote server I was testing with.

    I tested the speed between those two servers on the remote network and I get 900mbit/sec so thats also not the problem.  So it's also no issue with the duplex settings on this switch I guess? (the switch being the fortigate here for both servers)

     

    The test site and remote site are only 10km away from each other and are with the same ISP.  Speed tests on remote site 230/30, on the test site 200/30.  I also tested from another site with a different ISP. same result.

     

    No ping loss with vpn on or off.

     

    thats what I got for now. The other suggestions I need to test.

    But if anything I tested so far leads to other suggestions I am happy to hear them:)

    tx!

     

    bashrael
    bashraelAuthor
    New Member
    July 30, 2017

    small update:

    I checked the wan port and it's on auto negotiate with the current being 1000mbps full duplex.

    ISP confirmed this is correct.  When I had them on the phone I told them about my problem.

    They noticed that I had some upstream loss and said this 'could' be whats causing my problem.

    Tomorrow morning they send a technician to check the line.

    updating this thread when I have more news.

    Terms & ConditionsAccessibility statement