After verifying the compatibility between FortiGate and FortiClient, look at some recommendations to improve file transfer when connected to SSL VPN:

1. Verify that DTLS is enabled both on FortiGate and FortiClient.

On FortiGate:

config vpn ssl settings
    set dtls-tunnel enable
end

On FortiClient:

If the Preferred DTLS option is greyed out and unable to enable the checkbox, The lock icon(highlighted) needs to be selected to unlock the settings.

After unlocking the settings, the Preferred DTLS Tunnel option should be able to select.

When FortiClient is managed by EMS, the DTLS option cannot be enabled directly on the FortiClient console. Changes need to be pushed by the administrator from EMS: Technical Tip: How to enable DTLS option from FortiEMS 

If the user(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.

2. Make sure there is no packet loss between sites.

    

3. Make sure SSL VPN policies do not have any UTM/security profiles.

   If there is any then test it without them.

    

4. Verify the transfer speed after disabling NPU-offloading using the related VPN policy.

    

   config firewall policy

       edit (id)

           set auto-asic-offload disable

   end

    

5. Perform the iPerf test on the host machine which is connected to SSL VPN:

   All the iPerf tests will be performed using an internal server as iPerf server which will be used for file transfer.

    

    

Try to generate traffic using parallel sessions to the server using the following command:

iperf3 -c x.x.x.x -P 10

Here P stands for --parallel # number of parallel client streams to run.

Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:

iperf3 -c  x.x.x.x -w 8KB

iperf3 -c  x.x.x.x -w 64KB

iperf3 -c  x.x.x.x -w 8MB

iperf3 -c  x.x.x.x -w 16MB

Here w stands for --window #[KMG] TCP window size (socket buffer size).

To circumvent TCP limitations on the client host, it is possible to try the UDP test with the desired bandwidth using the following command:

    Iperf3 -c x.x.x.x -u -b 50M

Here 'u' stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).

2. Changing the TLS protocols being used on FortiGate for SSL-VPN is possible.

    

   config vpn ssl settings

       set ssl-min-proto-ver tls1-1

   end

    

   Disconnect from the VPN, shut down the FortiClient application open it, and connect to VPN again.

    

3. Try changing the MSS value on the related VPN policy.

   
   config firewall policy

       edit (id)

           set tcp-mss-sender <>

           set tcp-mss-receiver <>

   end

    

4. Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services:

    

   C:\Windows>netsh interface ipv4 show subinterface

    

   C:\Windows>netsh interface ipv4 set subinterface “interface_name” mtu=<value> store=persistent

    

   After changing the value, restart the machine. Revert the change if it is not making any impact.

    

5. Change the port number of the SSL VPN. The default port is 443. It is possible to change to another port if there is latency on that port because of the ISP. 

    

config vpn ssl settings

    set port <port-number>

end

On FortiClient:

Change the customized port to match. 

If the above steps do not make any improvement, the following counters and interface stats can be collected to investigate further.

Check whether Tx drops are increasing or not on the SSL VPN interface while doing file transfer.

FortiGate # fnsysctl ifconfig ssl.root
ssl.root                      Link encap:Unknown
                        UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
                        RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                        TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
                        collisions:0 txqueuelen:1000
                        RX bytes:0 (0 Bytes) TX bytes:0 (0 Bytes) 

Note:

It is expected to see minor TX drops. When the tunnel is torn down, the server/peer side might still try to send out traffic and those packets will be dropped by FortiGate and counted as TX drops.

Check SSL VPN mux-stats frequently while doing the file transfer.

FortiGate # diag vpn ssl mux-stat
name=ssl.root id=0x1
mux count = 0x1
mux dat count = 0
tx dropped = 3
queue dropped = 0
unwanted dropped = 1
multicast dropped = 2
addr not found = 0
max queue length observed = 0
total queue length observed = 0 

If the 'queue dropped' counter is increasing continuously while doing a transfer, it indicates slowness in SSL VPN performance.

Try to restart the SSL VPN daemon using the command:

fnsysctl killall sslvpnd

Note:

Restarting the SSL VPN daemon will disconnect the users currently connected.

Related articles:

Troubleshooting Tip: SSL VPN Troubleshooting

Technical Tip: FortiGate SSL VPN best practices guide

Technical Tip: SSL VPN with external DHCP Server

Technical Tip: How to increase the SSL-VPN tunnel mode bandwidth for small model (multi SSL-VPN clie...

Technical Tip: Reasons for the 'iprope_in_check() failed' error in SSL VPN

Troubleshooting Tip: Checking maximum number of SSL VPN users using ‘diagnose vpn ssl statistics’

Technical Tip: FortiGate IPSec VPN Resource List

Technical Tip: FortiGate Resource Lists