FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmanak
Staff
Staff

Description

 

This article explains how SSLVPN tunnel traffic is sensitive to latency when compared to IPSEC VPN.

 

Scope

 

FortiGate

 

Solution

 

Network throughput over a VPN tunnel very much depends on Latency and Packet loss factors in the network. Especially, SSL-VPN is very sensitive to Latency and Packet Loss due to the nature of TCP over TCP.

Whereas IPsec VPN has no outer layer of TCP, so it has no problem with TCP over TCP.

TCP is a reliable protocol and the Source/Destination nodes heavily rely on TCP acknowledgements to know whether or not the traffic is delivered at the destination.

 

If an acknowledgement is not received for a transmitted segment, the source node has to retransmit the lost data within a specific time period upon receiving duplicate acknowledgements from the destination node requesting for the lost segment.

 

This TCP timer is adaptive in nature, which means it adjusts depending upon the link.

It starts with a conservative estimate and changes dynamically with every received segment. When a segment times out, the following timeout is increased exponentially.

 

Because of this behaviour, it avoids the meltdown effect.

 

When one TCP session is stacked over another TCP connection, each layer will have its own timer.

 

pmanak_0-1655220971176.png

 

 

It can happen that the lower layer has a slower timer compared to the upper layer and now if the lower layer starts experiencing packet loss, there would be re-transmission and it would increase its timer. 

 

Because of this, the upper layer that carries the payload would also not get the acknowledgement and it would start to queue re-transmission. 

 

As the upper layer timeout is less compared to the lower layer, it would queue up more re-transmission faster than the lower layer can process them. 

This will stall the upper layer connection and every re-transmission would add to the problem.

Therefore, enabling DTLS under the SSL-VPN configuration on FortiGate will maximize the VPN throughout. 

 

When DTLS is enabled, the tunnel negotiation and VPN data transfer take place over UDP, and thus the throughput/performance of the SSL VPN tunnel will be much better.

 

pmanak_1-1655220971181.png

 


For information about implementing SSL VPN with DTLS, refer to:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Using-DTLS-to-improve-SSL-VPN-performance...

Contributors