FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ahmed_M
Staff
Staff
Article Id 284891
Description

The article details how FortiOS version 7.4.0 and higher allows adjustment of DTLS heartbeat timers for improved performance and resilience in specific network conditions.

Scope FortiOS 7.4.0 and higher.
Solution

Background:

 

SSL VPN technology has been around for several decades, and has evolved to meet the demand for secure remote access to corporate networks over the internet. The TLS protocol is integral for establishing encrypted connections between clients and servers, played a pivotal role in this development. Recognized for its ease of deployment and management in comparison to other VPN types, SSL VPN offers enhanced security through application-layer access, enabling selective permissions for applications and resources.

 

Despite these advantages and the technological maturity, SSL VPN may incur slightly higher overhead than IPSec VPN, potentially leading to a minor dip in performance. Notably, the encryption and decryption processes within SSL VPN occur at the application layer, introducing additional processing compared to the network-layer encryption employed by IPsec.

 

The performance of SSL VPN is notably influenced by sensitivity to both latency and packet loss, primarily attributed to its reliance on the TCP protocol. As application data is carried in the TCP payload for transmission via SSL VPN, it undergoes encapsulation within a distinct TCP session specific to the SSL VPN application before progressing through lower layers. In situations where the network experiences high latency or congestion, various factors, including packet loss, out-of-order fragmentation, delayed acknowledgments, and the involvement of multiple TCP layers, can lead to significant retransmissions, significantly impacting the overall performance quality.

For a detailed explanation of why SSL VPN tunnels exhibit sensitivity to latency compared to IPsec VPNs, see Technical Tip: Why SSL VPN tunnel is sensitive to latency compared to IPSec VPN.

 

In response to this challenge, Fortinet addresses the issue by endorsing the DTLS protocol (RFC 9147) to enhance SSL VPN performance. Leveraging DTLS is particularly effective because it operates over UDP, a protocol better suited for real-time applications compared to TCP. This is especially advantageous in scenarios where low latency and real-time communication are critical. For detailed instructions on enabling DTLS for SSL VPN on FoS and FortiClient, refer to the following links:

 

 

Furthermore, Fortinet supports DTLS heartbeat messages (RFC 6520), enabling keep-alive functionality without requiring costly tunnel renegotiation during idle periods. In FortiOS verion 7.2 and earlier, adjusting heartbeat timers was not possible as it would potentially lead to DTLS tunnel establishment failures in congested or jittery network scenarios.

 

Solution:

 

To bolster the performance and resilience of DTLS, FortiOS v7.4.0 and above introduces the capability to adjust DTLS heartbeat timers to suit specific network conditions. Comprehensive details about this feature can be found in the new features guide.

 

Related article:

Troubleshooting Tip SSL VPN slow file transfer issue.

Contributors