FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 230161
Description This article describes how to troubleshoot the slow file transfer issue with the SSL-VPN connection.
Scope FortiGate, FortiClient.

After verifying the compatibility between FortiGate and FortiClient,

here are some recommendations to improve file transfer when connected to SSL-VPN:


1) Verify DTLS is enabled both on FortiGate and FortiClient.


On FortiGate:


#config vpn ssl settings
    set dtls-tunnel enable


On FortiClient:


If the client(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.


2) Make sure there is no packet loss between sites.


3) Make sure SSL-VPN policies do not have any UTM/security profiles.

If there is any then test it without them.


4) Verify transfer speed after disabling NPU-offloading on related VPN policy.


# config firewall policy

    edit (id)

        set auto-asic-offload disable



5) Perform iPerf test on the host machine which is connected to SSL-VPN:

All the iPerf tests will be performed using an internal server as iPerf server which will be used for file transfer.


First, try to generate traffic using parallel sessions to the server using the following command:


iperf3 -c x.x.x.x -P 10


Here P stands for --parallel # number of parallel client streams to run.


Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:


iperf3 -c  x.x.x.x -w 8KB

iperf3 -c  x.x.x.x -w 64KB

iperf3 -c  x.x.x.x -w 8MB

iperf3 -c  x.x.x.x -w 16MB


Here w stands for --window #[KMG] TCP window size (socket buffer size).


To circumvent TCP limitations on the client host, it is possible to try UDP test with desired bandwidth using the following command:


    Iperf3 -c x.x.x.x -u -b 50M


Here u stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).


6) It is possible to change the TLS protocols being used on FortiGate for SSL-VPN.


# config vpn ssl settings

    set ssl-min-proto-ver tls1-1



Disconnect from VPN, shut down the FortiClient application and open it and connect to VPN again.


7) Try changing the MSS value on the related VPN policy.


# config firewall policy

    edit (id)

        set tcp-mss-sender <>

        set tcp-mss-receiver <>



8) Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services:


C:\Windows>netsh interface ipv4 show subinterface


C:\Windows>netsh interface ipv4 set subinterface “interface_name” mtu=<value> store=persistent


After changing the value, restart the machine. Revert the change if it is not making any impact.