Description
This article describes troubleshooting for slow speed issues over the IPsec tunnel using iperf tool.
Scope
FortiOS.
Solution
Whenever there is a slow speed issue through the tunnel it is possible to validate the throughput once with the WAN link and once with the tunnel link towards the same peer side.
In this example, it is assumed IPsec Tunnel between FGTA and FGTB is configured and is up and running.
Firstly download the iperf tool from the below link: https://iperf.fr/iperf-download.php.
Make FGTA LAN PC as iperf server and FGTB LAN PC as iperf client.
To make iperf server:
Open a command prompt then steer to the iperf folder location:
C:\Users\test1\iperf-3.1.3-win64>iperf3.exe -s
Note: In case the Iperf server is executed on a Windows OS It may happen that the local Windows firewall blocks the connection to port 5201,
in this case, it is necessary to disable the local firewall or create a rule to allow the connection.
To make iperf client:
Open a command prompt then steer to the iperf folder location:
C:\Users\Fortinet\iperf-3.1.3-win64>iperf3.exe -c <ip_addr>
For example:
FGTA:
WAN IP: 10.5.23.171.
LAN IP: 172.31.135.172.
VIP:
Ext IP: 10.5.23.172:5201.
INT IP: 172.31.135.172:5201.
FGTB:
WAN IP: 10.5.26.53.
LAN IP: 10.127.10.54.
Do the iperf test once with a private IP address through the tunnel and once with the public IP address through the wan link which will port forward the traffic towards the same server.
Then monitor the difference in throughput between both the iperf tests.
When testing with private IP through the Tunnel:
When testing with public IP through the WAN link:
The average BW through the tunnel link is 336 Mbits/s and through the wan link is 546 Mbits/s where the difference is minimal.
It is necessary to isolate the issue from the FortiGate side by validating the CPU/memory status, npu drop, traffic shaper, UTM features, etc too.
Then validate the MTU/MSS part too on both sides.
With plain policy without any UTM if there is still a speed issue and there is minimal difference in the iperf test through the WAN link and tunnel link then it needs to be validated from the ISP side too.
Note:
In some cases, ISPs might be applying traffic shaping for ESP traffic. One solution is to switch to using UDP/port 4500 packets for Phase 2 by enabling Forced NAT-T on both sides and checking if there is any improvement in throughput via iPerf.
To check if NAT-T is being used, run the following commands:
diag vpn tunnel list
If LocalIP:0->PeerIP:0 on the first entry where the tunnel name is also contained, it means that the tunnel is not using NAT-T. Otherwise, if LocalIP:4500->PeerIP:4500, NAT-T is being used.
The latency between communicating endpoints should also be checked. With TCP there is a direct relationship between latency and throughput. As latency increases, TCP throughput drastically decreases. The ping command assists in quickly checking the round-trip end-to-end latency.
Related article:
Troubleshooting Tip: How to troubleshoot speed or bandwidth related issues over Site-to-Site IPsec t...
