Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

andrei123
New Contributor

Created on ‎12-03-2015 08:34 PM

Throughput problem with FGT 60D and PPPoE connection

The unit is set up with FortiOS 5.2.5 and has the wan1 port connected to the ISP with PPPoE (1Gb subscription).
If I connect the laptop or computer directly with PPPoE to the ISP I get ~800 Mb throughput (tested with speedtest, ISP's own speedtest and torrents). When I connect the Fortigate unit the throughput is capped at ~140 Mb and the unit stops responding (CPU 100%).
I tried the following configurations:
- internal lan in switch mode or in interface mode (hardware switch)
- tried with firmwares 5.0.10 and 5.2.1, 5.2.3, 5.2.4
The MTU for the PPPoE is 1492 so I also tried with mtu-overrride 1492 and still the same
The unit behaves the same in every situation high cpu and capped througput.
All the UTM features are turned off. All the tests are done with the basic configuration, just a policy from internal to wan1..
Also another strange thing is that when I test with the download limited ~100Mb so that the unit doesn't completely freeze I can see from the top command that the CPU is 50% hogged by the system, however there is no process in the list with that high of a load (if you add all the processes they add up to max 10%).
I also noticed that the traffic is not going through the NP4Lite so I guess the 'Supports firewall acceleration across all packet sizes for maximum throughput' on the FGT 60D spec sheet on Fortinet website might be false advertising.

Update: There is no way that I found for a 60D  to reach gigabit speeds on PPPoE connection. Max throughput is 140 Mb.

A workaround is to have another router in front of the 60D to do the PPPoe connection ( i got a Ubiquiti Edgemax Lite router for 100E that works amazing) 

Best regards,
Andrei

Labels:
220
0 Kudos
2 REPLIES 2
SimoRose
Staff
Staff

Created on ‎12-10-2015 05:59 AM

I have a customer in the UK withthe same problem. has there been any progress since you posted this article?

217
0 Kudos
PatrBeav
New Contributor

Created on ‎12-30-2015 10:27 AM

I have seen this issue when you have web filtering turned on in proxy mode make sure that AV and Content filtering is set to flow mode. then verify with a good tool for network performance measure ment like iperf.exe you can use iperf2 or 3 both sides need to be running the same level of iperf. Using this will give you the Real performance stats of your connection. If you can plug a decent workstation into the firewall inside interface and nothing else. then plug another workstation to the wan address and set it up as the uplink ip. then set the wan side iperf up like this iperf -s then on the lan side workstation run iperf -c wanuplink-ip -t 60 -i5 -P

this will push traffic from lan to wan via 3 different streams to the uplink workstation and it will give you 5 second updates and give you the real upload performance. to do the download you would need to create a port-forward or static nat for the workstation on the lan side and basically just reverse the cleint/server command line. I have tested fortinets 60C firewalls and able to push around 800Mbps with them with av and web filtering disabled and in flow mode. Also any ips will slow it down if its enabled as well.

Hope this info helps,

217
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.