FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kanand
Staff
Staff
Article Id 216705

Description

 

This article describes troubleshooting for the speed or bandwidth throttling issues over the Site-to-Site IPSec tunnel.

 

Scope

 

FortiGate and all FortiOS Platforms.

 

Solution

 

The best way to troubleshoot speed-related issues on the IPSec tunnel is to compare the bandwidth over wan.

 

As IPSec packets travel in the form of  ESP(Encapsulated Security Payload) packets that are sent over WAN.

 

Therefore, the maximum throughput one can get over IPSec depends upon how fast the resource can be reached from location A to location B over the WAN.

 

In this scenario, port1 is the WAN interface on both sites and port2 is the LAN interface on both sites.

 

kanand_0-1656957215232.png

 

There is a need to have some specific requirements to measure bandwidth over WAN.

 

Firstly, there is a requirement to have an unused public IP space on Site B so that a VIP can be configured in order to open the port to any server where an IPerf server can be configured in the server mode.

 

This server will be listening on the port and secondly needs a corresponding policy with VIP as the destination to allow the traffic from site A FortiGate to perform the test.

 

Then from the FortiGate on site A, run the Iperf commands (as FortiGate can only act in client mode )

 

diag traffictest client-intf port1    <----- Define Fortigate port (WAN port)

 

diag traffictest server-intf port1    <----- Define Fortigate port (WAN port)

 

diag traffictest port 5209            <----- Define iPerf3 port running on the iPerf3 server.

 

diag traffictest run -c 1.2.3.4       <----- Remote site B WAN IP

 

SAMPLE OUTPUT:

 

[ 14] local 4.3.2.1 port 5201 connected to 1.2.3.4 port 5209

[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd

[ 14]   0.00-1.01   sec  1.78 MBytes  14.8 Mbits/sec    2    198 KBytes

[ 14]   1.01-2.01   sec  3.56 MBytes  29.9 Mbits/sec   37    256 KBytes

[ 14]   2.01-3.01   sec  6.01 MBytes  50.4 Mbits/sec    0    304 KBytes

[ 14]   3.01-4.01   sec  6.73 MBytes  56.6 Mbits/sec    0    335 KBytes

[ 14]   4.01-5.01   sec  6.73 MBytes  56.4 Mbits/sec    0    354 KBytes

[ 14]   5.01-6.01   sec  6.78 MBytes  56.9 Mbits/sec    0    354 KBytes

[ 14]   6.01-7.01   sec  6.65 MBytes  55.8 Mbits/sec    0    363 KBytes

[ 14]   7.01-8.01   sec  6.77 MBytes  56.8 Mbits/sec    0    363 KBytes

[ 14]   8.01-9.01   sec  4.58 MBytes  38.4 Mbits/sec    5    187 KBytes

[ 14]   9.01-10.00  sec  6.07 MBytes  51.1 Mbits/sec    0    301 KBytes

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bandwidth       Retr

[ 14]   0.00-10.00  sec  55.7 MBytes  46.7 Mbits/sec   44             sender

[ 14]   0.00-10.00  sec  55.5 MBytes  46.6 Mbits/sec                  receiver

iperf Done.

iperf3: interrupt - the server has terminated

 

After confirming the speed over the WAN, In order to confirm the same via IPSec tunnel route, run the Iperf commands on Site A again with the private IP of the server which is reachable via IPSEC.

 

diag traffictest client-intf port2     <----- Define FortiGate port (this is the lan port for the subnet allowed over phase-2 selectors)

 

diag traffictest server-intf port2     <----- Define FortiGate port (this is the lan port for the subnet allowed over phase-2 selectors)

 

diag traffictest port 5209             <----- Define iPerf3 port running on the iPerf3 server.

 

diag traffictest run -c 192.168.10.2

 

[ 14] local 192.168.1.1 port 5201 connected to 192.168.10.2 port 5209

[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd

[ 14]   0.00-1.01   sec  1.78 MBytes  14.8 Mbits/sec    2    198 KBytes

[ 14]   1.01-2.01   sec  3.56 MBytes  29.9 Mbits/sec   37    256 KBytes

[ 14]   2.01-3.01   sec  6.01 MBytes  50.4 Mbits/sec    0    304 KBytes

[ 14]   3.01-4.01   sec  6.73 MBytes  56.6 Mbits/sec    0    335 KBytes

[ 14]   4.01-5.01   sec  6.73 MBytes  56.4 Mbits/sec    0    354 KBytes

[ 14]   5.01-6.01   sec  6.78 MBytes  56.9 Mbits/sec    0    354 KBytes

[ 14]   6.01-7.01   sec  6.65 MBytes  55.8 Mbits/sec    0    363 KBytes

[ 14]   7.01-8.01   sec  6.77 MBytes  56.8 Mbits/sec    0    363 KBytes

[ 14]   8.01-9.01   sec  4.58 MBytes  38.4 Mbits/sec    5    187 KBytes

[ 14]   9.01-10.00  sec  6.07 MBytes  51.1 Mbits/sec    0    301 KBytes

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bandwidth       Retr

[ 14]   0.00-10.00  sec  55.7 MBytes  42.7 Mbits/sec   44             sender

[ 14]   0.00-10.00  sec  55.5 MBytes  42.6 Mbits/sec                  receiver

iperf Done.

iperf3: interrupt - the server has terminated

 

If the difference is minimal between both tests, it can be concluded that the bandwidth difference is due to the fact that traffic is encrypted & decrypted over the tunnel but if the difference is significantly noticeable, then further troubleshooting has to be done with respect to the npu-offloading being enabled/ disabled, drops on the NPU chips, CPU/ Memory utilization on the FortiGate.

Comments
A_dhanda
Staff
Staff

This is awesome ! much needed for day to day troubleshooting with speed issues over IPsec. 

Contributors