FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff
Article Id 245136
Description

 

This article describes troubleshooting for slow download and upload issues over the IPsec tunnel.

 

Scope

 

FortiGate.

 

Solution

 

It is necessary to check the status of the speed through the WAN link and then compare it when passing the traffic through the tunnel link.
If from the WAN link, the speed is not up to the mark, then it is obvious that even from the tunnel link the speed will be less.

 

Topology:

 

sjoshi_0-1675852521081.png

 

It is necessary to download the FileZilla server on one machine and the FileZilla client on another location:
https://filezilla-project.org/download.php?platform=win64&type=server >> Server
https://filezilla-project.org/download.php?platform=win64 >> client

 

A FileZilla server will be installed on the FGT1 LAN machine and FileZilla client on FGT2 LAN machine.

 

Passing traffic from Tunnel link.

First, check the download/upload of files through the IPSEC tunnel.

When connecting FTP through the IPsec tunnel it is necessary to use the local IP.

 

From the image below, it is possible to see that in the Host needed to enter the local Ip of the remote server and the FTP username/password.

 

sjoshi_1-1675852619903.png

 

Post connecting to the FTP server, it is possible to start downloading the files.

 

From the image below, it is possible to the download speed and the same download speed needed to compare when checking from the WAN link.

Similarly, upload the file to the FTP server and check the upload speed first through the Tunnel then need to compare while passing the traffic through wan link.

 

sjoshi_2-1675852689487.png

 

Passing traffic from the WAN link.

Now, it is necessary to check the download/upload speed through the WAN link.

Since the server is on FGT1, it is necessary to create a VIP.

 

10.5.23.172 is the wan IP.

172.31.135.172 is the server IP.

 

Vip configuration:

 

sjoshi_3-1675853016056.png

 

Also, in the incoming policy in FGT1 where VIP is enabled, make sure to enable NAT or whitelist remote IP on the server side.

 

Now, try to download the same file and check what speed is getting when downloading from the WAN link as shown in the below image.

 

Follow the same for the uploading files too.

 

sjoshi_4-1675853053103.png

 

If the difference between download/upload speed from the WAN link and the tunnel link is somehow minimal then there is no speed issue through the VPN since traffic going through the tunnel will be encrypted/decrypted and there will be some difference.
Also, MTU through the tunnel and WAN link will be different which depends upon the encryption/authentication used in VPN settings.
If from the WAN link itself, the speed is low then need to check from the ISP side after validating NPU drops, FortiGate system performance, crash log, interface drop, etc.

 

Note:

While testing in the lab only two machines were utilizing the BW and remote peer IP between both FortiGates had minimal latency.

Contributors