Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmanak
Staff & Editor
Staff & Editor

Created on ‎06-14-2022 08:49 AM Edited on ‎09-24-2025 10:45 PM By Community Manager

Article Id 214663

Technical Tip: Why SSL VPN tunnels are more sensitive to latency when compared to IPsec VPN

Description

 

This article explains why SSL VPN traffic can be more sensitive to latency and packet loss when compared to IPsec VPN.

 

Scope

 

FortiGate.

 

Solution

 

Network throughput over a VPN tunnel very much depends on factors such as latency or packet loss in the network.  Especially, SSL VPN is very sensitive to Latency and Packet Loss due to the nature of TCP over TCP.

 

In contrast, IPsec VPN has no outer layer of TCP, so it has no problem with TCP over TCP.  Remote access IPsec VPN tunnels encapsulate the ESP packets inside UDP headers. 

 

UDP uses best-effort delivery to prioritize speed and send data as quickly as possible to the destination without on relying on acknowledgments to guarantee the data was delivered successfully.  The minimal network overhead of UDP makes it better performance-wise for quick, low-latency communication.

TCP is a reliable protocol, and the source and destination nodes heavily rely on TCP acknowledgements to know whether the data successfully reached the destination. 

 

If an acknowledgement is not received for a transmitted segment, the source node has to re-transmit the lost data within a specific time period upon receiving duplicate acknowledgements from the destination node requesting for the lost segment.

 

This TCP timer is adaptive in nature, which means it adjusts depending upon the link.  It starts with a conservative estimate and changes dynamically with every received segment. When a segment times out, the following timeout is increased exponentially.

 

Due to this behavior, it avoids the meltdown effect.

 

When one TCP session is stacked over another TCP connection, each layer will have their own timers.

 

pmanak_0-1655220971176.png

 

 

It is possible that the lower layer has a slower timer in comparison to the upper layer and that the lower layer will start to experience packet loss, which will cause re-transmission and its timer increases. 

 

Due to this, the upper layer that carries the payload would also not get the acknowledgement, and it would start to queue re-transmission. 

 

As the upper layer timeout is less compared to the lower layer, it would queue up more re-transmissions faster than the lower layer can process them.  This will stall the upper-layer connection, and every re-transmission would add to the problem, causing performance issues.

 

Therefore, it is recommended to enable DTLS under the SSL VPN configuration on FortiGate and in the FortiClient settings to maximize the VPN throughout. 

 

When DTLS is enabled, the tunnel negotiation and VPN data transfer take place over UDP, which should improve the throughput and performance of the SSL VPN tunnel.

 

pmanak_1-1655220971181.png

 


For information about implementing SSL VPN with DTLS, refer to:
Technical Tip: Using DTLS to improve SSL VPN performance

10514
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.