After verifying the compatibility between FortiGate and FortiClient, look at some recommendations to improve file transfer when connected to SSL VPN:
If the user(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.
-
Make sure there is no packet loss between sites.
-
Make sure SSL VPN policies do not have any UTM/security profiles.
If there is any then test it without them.
-
Verify the transfer speed after disabling NPU-offloading using the related VPN policy.
config firewall policy
edit (id)
set auto-asic-offload disable
end
-
Perform the iPerf test on the host machine which is connected to SSL VPN:
All the iPerf tests will be performed using an internal server as iPerf server which will be used for file transfer.
First, try to generate traffic using parallel sessions to the server using the following command:
iperf3 -c x.x.x.x -P 10
Here P stands for --parallel # number of parallel client streams to run.
Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:
iperf3 -c x.x.x.x -w 8KB
iperf3 -c x.x.x.x -w 64KB
iperf3 -c x.x.x.x -w 8MB
iperf3 -c x.x.x.x -w 16MB
Here w stands for --window #[KMG] TCP window size (socket buffer size).
To circumvent TCP limitations on the client host, it is possible to try the UDP test with the desired bandwidth using the following command:
Iperf3 -c x.x.x.x -u -b 50M
Here 'u' stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).
-
Changing the TLS protocols being used on FortiGate for SSL-VPN is possible.
config vpn ssl settings
set ssl-min-proto-ver tls1-1
end
Disconnect from the VPN, shut down the FortiClient application open it, and connect to VPN again.
-
Try changing the MSS value on the related VPN policy.
config firewall policy
edit (id)
set tcp-mss-sender <>
set tcp-mss-receiver <>
end
-
Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services:
C:\Windows>netsh interface ipv4 show subinterface
C:\Windows>netsh interface ipv4 set subinterface “interface_name” mtu=<value> store=persistent
After changing the value, restart the machine. Revert the change if it is not making any impact.
-
Change the port number of the SSL VPN. The default port is 443. It is possible to change to another port if there is latency on that port because of the ISP.
If the above steps do not make any improvement, the following counters and interface stats can be collected to investigate further.
-
Check whether Tx drops are increasing or not on the SSL VPN interface while doing file transfer.
FortiGate # fnsysctl ifconfig ssl.root
ssl.root Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0 Bytes) TX bytes:0 (0 Bytes)
Note: It is expected to see minor TX drops. When the tunnel is torn down, the server/peer side might still try to send out traffic and those packets will be dropped by FortiGate and counted as TX drops.
-
Check SSL VPN mux-stats frequently while doing the file transfer.
FortiGate # diag vpn ssl mux-stat
name=ssl.root id=0x1
mux count = 0x1
mux dat count = 0
tx dropped = 3
queue dropped = 0
unwanted dropped = 1
multicast dropped = 2
addr not found = 0
max queue length observed = 0
total queue length observed = 0
If the 'queue dropped' counter is increasing continuously while doing a transfer, it indicates slowness in SSL VPN performance.
-
Try to restart the SSL VPN daemon using the command:
