Created on
11-17-2022
06:23 AM
Edited on
02-26-2025
09:36 PM
By
Anthony_E
Description | This article describes how to troubleshoot the slow file transfer issue with the SSL VPN connection. |
Scope | FortiGate, FortiClient. |
Solution |
After verifying the compatibility between FortiGate and FortiClient, look at some recommendations to improve file transfer when connected to SSL VPN:
On FortiGate:
config vpn ssl settings
On FortiClient:
If the Preferred DTLS option is greyed out and unable to enable the checkbox, The lock icon(highlighted) needs to be selected to unlock the settings. After unlocking the settings, the Preferred DTLS Tunnel option should be able to select.
When FortiClient is managed by EMS, the DTLS option cannot be enabled directly on the FortiClient console. Changes need to be pushed by the administrator from EMS: Technical Tip: How to enable DTLS option from FortiEMS
If the user(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.
Try to generate traffic using parallel sessions to the server using the following command:
iperf3 -c x.x.x.x -P 10
Here P stands for --parallel # number of parallel client streams to run.
Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:
iperf3 -c x.x.x.x -w 8KB iperf3 -c x.x.x.x -w 64KB iperf3 -c x.x.x.x -w 8MB iperf3 -c x.x.x.x -w 16MB
Here w stands for --window #[KMG] TCP window size (socket buffer size).
To circumvent TCP limitations on the client host, it is possible to try the UDP test with the desired bandwidth using the following command:
Iperf3 -c x.x.x.x -u -b 50M
Here 'u' stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).
config vpn ssl settings set port <port-number> end On FortiClient: Change the customized port to match.
If the above steps do not make any improvement, the following counters and interface stats can be collected to investigate further.
Check whether Tx drops are increasing or not on the SSL VPN interface while doing file transfer.
FortiGate # fnsysctl ifconfig ssl.root Note: It is expected to see minor TX drops. When the tunnel is torn down, the server/peer side might still try to send out traffic and those packets will be dropped by FortiGate and counted as TX drops.
Check SSL VPN mux-stats frequently while doing the file transfer.
FortiGate # diag vpn ssl mux-stat
If the 'queue dropped' counter is increasing continuously while doing a transfer, it indicates slowness in SSL VPN performance. Try to restart the SSL VPN daemon using the command:
Note: Restarting the SSL VPN daemon will disconnect the users currently connected. Related articles: Troubleshooting Tip: SSL VPN Troubleshooting Technical Tip: FortiGate SSL VPN best practices guide Technical Tip: SSL VPN with external DHCP Server Technical Tip: Reasons for the 'iprope_in_check() failed' error in SSL VPN Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’ |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.