Description
This article describes troubleshooting for the speed or bandwidth throttling issues over the Site-to-Site IPSec tunnel.
Scope
FortiGate and all FortiOS Platforms.
Solution
The best way to troubleshoot speed-related issues on the IPSec tunnel is to compare the bandwidth over wan.
As IPSec packets travel in the form of ESP(Encapsulated Security Payload) packets that are sent over WAN.
Therefore, the maximum throughput one can get over IPSec depends upon how fast the resource can be reached from location A to location B over the WAN.
In this scenario, port1 is the WAN interface on both sites and port2 is the LAN interface on both sites.
There is a need to have some specific requirements to measure bandwidth over WAN.
Firstly, there is a requirement to have an unused public IP space on Site B so that a VIP can be configured in order to open the port to any server where an IPerf server can be configured in the server mode.
This server will be listening on the port and secondly needs a corresponding policy with VIP as the destination to allow the traffic from site A FortiGate to perform the test.
Then from the FortiGate on site A, run the Iperf commands (as FortiGate can only act in client mode )
diag traffictest client-intf port1 <----- Define Fortigate port (WAN port)
diag traffictest server-intf port1 <----- Define Fortigate port (WAN port)
diag traffictest port 5209 <----- Define iPerf3 port running on the iPerf3 server.
diag traffictest run -c 1.2.3.4 <----- Remote site B WAN IP
SAMPLE OUTPUT:
[ 14] local 4.3.2.1 port 5201 connected to 1.2.3.4 port 5209
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 14] 0.00-1.01 sec 1.78 MBytes 14.8 Mbits/sec 2 198 KBytes
[ 14] 1.01-2.01 sec 3.56 MBytes 29.9 Mbits/sec 37 256 KBytes
[ 14] 2.01-3.01 sec 6.01 MBytes 50.4 Mbits/sec 0 304 KBytes
[ 14] 3.01-4.01 sec 6.73 MBytes 56.6 Mbits/sec 0 335 KBytes
[ 14] 4.01-5.01 sec 6.73 MBytes 56.4 Mbits/sec 0 354 KBytes
[ 14] 5.01-6.01 sec 6.78 MBytes 56.9 Mbits/sec 0 354 KBytes
[ 14] 6.01-7.01 sec 6.65 MBytes 55.8 Mbits/sec 0 363 KBytes
[ 14] 7.01-8.01 sec 6.77 MBytes 56.8 Mbits/sec 0 363 KBytes
[ 14] 8.01-9.01 sec 4.58 MBytes 38.4 Mbits/sec 5 187 KBytes
[ 14] 9.01-10.00 sec 6.07 MBytes 51.1 Mbits/sec 0 301 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 14] 0.00-10.00 sec 55.7 MBytes 46.7 Mbits/sec 44 sender
[ 14] 0.00-10.00 sec 55.5 MBytes 46.6 Mbits/sec receiver
iperf Done.
iperf3: interrupt - the server has terminated
After confirming the speed over the WAN, In order to confirm the same via IPSec tunnel route, run the Iperf commands on Site A again with the private IP of the server which is reachable via IPSEC.
diag traffictest client-intf port2 <----- Define FortiGate port (this is the lan port for the subnet allowed over phase-2 selectors)
diag traffictest server-intf port2 <----- Define FortiGate port (this is the lan port for the subnet allowed over phase-2 selectors)
diag traffictest port 5209 <----- Define iPerf3 port running on the iPerf3 server.
diag traffictest run -c 192.168.10.2
[ 14] local 192.168.1.1 port 5201 connected to 192.168.10.2 port 5209
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 14] 0.00-1.01 sec 1.78 MBytes 14.8 Mbits/sec 2 198 KBytes
[ 14] 1.01-2.01 sec 3.56 MBytes 29.9 Mbits/sec 37 256 KBytes
[ 14] 2.01-3.01 sec 6.01 MBytes 50.4 Mbits/sec 0 304 KBytes
[ 14] 3.01-4.01 sec 6.73 MBytes 56.6 Mbits/sec 0 335 KBytes
[ 14] 4.01-5.01 sec 6.73 MBytes 56.4 Mbits/sec 0 354 KBytes
[ 14] 5.01-6.01 sec 6.78 MBytes 56.9 Mbits/sec 0 354 KBytes
[ 14] 6.01-7.01 sec 6.65 MBytes 55.8 Mbits/sec 0 363 KBytes
[ 14] 7.01-8.01 sec 6.77 MBytes 56.8 Mbits/sec 0 363 KBytes
[ 14] 8.01-9.01 sec 4.58 MBytes 38.4 Mbits/sec 5 187 KBytes
[ 14] 9.01-10.00 sec 6.07 MBytes 51.1 Mbits/sec 0 301 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 14] 0.00-10.00 sec 55.7 MBytes 42.7 Mbits/sec 44 sender
[ 14] 0.00-10.00 sec 55.5 MBytes 42.6 Mbits/sec receiver
iperf Done.
iperf3: interrupt - the server has terminated
If the difference is minimal between both tests, it can be concluded that the bandwidth difference is due to the fact that traffic is encrypted & decrypted over the tunnel but if the difference is significantly noticeable, then further troubleshooting has to be done with respect to the npu-offloading being enabled/ disabled, drops on the NPU chips, CPU/ Memory utilization on the FortiGate.
This is awesome ! much needed for day to day troubleshooting with speed issues over IPsec.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.