Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff

Created on ‎11-17-2022 06:23 AM Edited on ‎11-17-2022 06:31 AM

Article Id 230161

Troubleshooting Tip: ‘SSL-VPN slow file transfer issue’

Description This article describes how to troubleshoot the slow file transfer issue with the SSL-VPN connection.
Scope FortiGate, FortiClient.
Solution

After verifying the compatibility between FortiGate and FortiClient,

here are some recommendations to improve file transfer when connected to SSL-VPN:

 

1) Verify DTLS is enabled both on FortiGate and FortiClient.

 

On FortiGate:

 

#config vpn ssl settings
    set dtls-tunnel enable
end

 

On FortiClient:

 

If the client(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings.

 

2) Make sure there is no packet loss between sites.

 

3) Make sure SSL-VPN policies do not have any UTM/security profiles.

If there is any then test it without them.

 

4) Verify transfer speed after disabling NPU-offloading on related VPN policy.

 

# config firewall policy

    edit (id)

        set auto-asic-offload disable

    end

 

5) Perform iPerf test on the host machine which is connected to SSL-VPN:

All the iPerf tests will be performed using an internal server as iPerf server which will be used for file transfer.

 

First, try to generate traffic using parallel sessions to the server using the following command:

 

iperf3 -c x.x.x.x -P 10

 

Here P stands for --parallel # number of parallel client streams to run.

 

Try to increase TCP Window size using the following commands to monitor the bandwidth if the amount of data being transferred is larger:

 

iperf3 -c  x.x.x.x -w 8KB

iperf3 -c  x.x.x.x -w 64KB

iperf3 -c  x.x.x.x -w 8MB

iperf3 -c  x.x.x.x -w 16MB

 

Here w stands for --window #[KMG] TCP window size (socket buffer size).

 

To circumvent TCP limitations on the client host, it is possible to try UDP test with desired bandwidth using the following command:

 

    Iperf3 -c x.x.x.x -u -b 50M

 

Here u stands for UDP traffic and -b stands for --bandwidth #[KMG][/#] target bandwidth in bits/sec (0 for unlimited).

 

6) It is possible to change the TLS protocols being used on FortiGate for SSL-VPN.

 

# config vpn ssl settings

    set ssl-min-proto-ver tls1-1

end

 

Disconnect from VPN, shut down the FortiClient application and open it and connect to VPN again.

 

7) Try changing the MSS value on the related VPN policy.

 

# config firewall policy

    edit (id)

        set tcp-mss-sender <>

        set tcp-mss-receiver <>

    end

 

8) Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services:

 

C:\Windows>netsh interface ipv4 show subinterface

 

C:\Windows>netsh interface ipv4 set subinterface “interface_name” mtu=<value> store=persistent

 

After changing the value, restart the machine. Revert the change if it is not making any impact.
14190
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.