Description | This article describes how to troubleshoot the slow file transfer issue with the SSL-VPN connection. |
Scope | FortiGate, FortiClient. |
Solution |
After verifying the compatibility between FortiGate and FortiClient, here are some recommendations to improve file transfer when connected to SSL-VPN:
1) Verify DTLS is enabled both on FortiGate and FortiClient.
On FortiGate:
#config vpn ssl settings
On FortiClient:
If the client(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.
2) Make sure there is no packet loss between sites.
3) Make sure SSL-VPN policies do not have any UTM/security profiles. If there is any then test it without them.
4) Verify transfer speed after disabling NPU-offloading on related VPN policy.
# config firewall policy edit (id) set auto-asic-offload disable end
5) Perform iPerf test on the host machine which is connected to SSL-VPN: All the iPerf tests will be performed using an internal server as iPerf server which will be used for file transfer.
First, try to generate traffic using parallel sessions to the server using the following command:
iperf3 -c x.x.x.x -P 10
Here P stands for --parallel # number of parallel client streams to run.
Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:
iperf3 -c x.x.x.x -w 8KB iperf3 -c x.x.x.x -w 64KB iperf3 -c x.x.x.x -w 8MB iperf3 -c x.x.x.x -w 16MB
Here w stands for --window #[KMG] TCP window size (socket buffer size).
To circumvent TCP limitations on the client host, it is possible to try UDP test with desired bandwidth using the following command: Iperf3 -c x.x.x.x -u -b 50M
Here u stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).
6) It is possible to change the TLS protocols being used on FortiGate for SSL-VPN.
# config vpn ssl settings set ssl-min-proto-ver tls1-1 end
Disconnect from VPN, shut down the FortiClient application and open it and connect to VPN again.
7) Try changing the MSS value on the related VPN policy.
# config firewall policy edit (id) set tcp-mss-sender <> set tcp-mss-receiver <> end
8) Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services:
C:\Windows>netsh interface ipv4 show subinterface
C:\Windows>netsh interface ipv4 set subinterface “interface_name” mtu=<value> store=persistent
After changing the value, restart the machine. Revert the change if it is not making any impact. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.