Description
This article describes troubleshooting for slow speed issues over the IPsec tunnel using iperf tool.
Scope
FortiOs.
Solution
Whenever there is a slow speed issue through the tunnel it is possible to validate the throughput once with the WAN link and once with the tunnel link towards the same peer side.
In this example, it is assumed IPsec Tunnel between FGTA and FGTB is configured and is up and running.
Firstly download the iperf tool from the below link: https://iperf.fr/iperf-download.php.
Make FGTA LAN PC as iperf server and FGTB LAN PC as iperf client.
To make iperf server:
Open a command prompt then steer to the iperf folder location:
C:\Users\test1\iperf-3.1.3-win64>iperf3.exe -s
To make iperf client:
Open a command prompt then steer to the iperf folder location:
C:\Users\Fortinet\iperf-3.1.3-win64>iperf3.exe -c <ip_addr>
For example:
FGTA:
WAN IP: 10.5.23.171.
LAN IP: 172.31.135.172.
VIP:
Ext IP: 10.5.23.172:5201.
INT IP: 172.31.135.172:5201.
FGTB:
WAN IP: 10.5.26.53.
LAN IP: 10.127.10.54.
Do the iperf test once with a private IP address through the tunnel and once with the public IP address through the wan link which will port forward the traffic towards the same server.
Then monitor the difference in throughput between both the iperf test.
When testing with private IP through the Tunnel:
When testing with public IP through the WAN link:
The average BW through the tunnel link is 336 Mbits/s and through the wan link is 546 Mbits/s where the difference is minimal.
It is necessary to isolate the issue from the FortiGate side by validating the CPU/memory status, npu drop, traffic shaper, UTM features, etc too.
Then validate MTU/MSS part too on both sides.
With plain policy without any UTM if there is still a speed issue and there is minimal difference in the iperf test through wan link and tunnel link then it needs to be validated from the ISP side too.
