Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
saleha
Staff
Staff

Created on ‎04-05-2024 06:13 AM Edited on ‎04-05-2024 06:16 AM By Community Manager

Article Id 308058

Troubleshooting Tip: Troubleshooting throughput issues with clients connected to FortiSASE

Description

 

This article describes how to fix throughput issues in a FortiGate connected to FortiSASE with SSL VPN. This article assumes FortiClient is only being used to connect endpoints.

 

Scope

 

FortiGate, FortiClient, FortiSASE.

 

Solution

 

With the use of SSL VPN to connect to FortiSASE, one of the main considerations is throughput/speed - especially because the FortiSASE portal does not provide admin access to the PoPs where the endpoints connect to the VPN. Bandwidth is calculated based on account level bandwidth, which is in turn determined based on the purchased contract's entitlement and the products involved in the setup, such as FortiClient agents, FortiExtender, FortiGate, etc.

 

Slow speed or low throughput issues are issues that can happen due to multiple factors based on this type of deployment, such as home office or small office internet speed, FortiClient or browser issues, or issues on the Point of Presence (PoP)'s side.

 

Below are the recommended steps to troubleshoot and investigate throughput issues between FortiClient and FortiSASE:

 

  1. Check which version of the FortiClient is set up by the user with the VPN to FortiSASE.
  2. Make sure DTLS is enabled on the FortiClient settings.
  3. Run a speed test multiple times from 'speedtest.net', as this tool offers the option to change the location of the test server.
  4. Run a speed test from different vendors such as 'fast.com' and 'https://fiber.google.com/speedtest/' for more assessment.Creating a test policy with no UTMs for the affected user
  5. In cases where multiple users are affected while others are working fine, check if all users are connected to the same PoP or if the connection is across multiple PoPs.
  6. Test with an SWG VPN user connection through the same internet. See the SWG with VPN deployment guide.
  7. Test the speed for the same user connecting to different ISPs if possible, such as DSL, fiber-optic, or cable internet.
  8. Check the 'nabdwidth' monitor widget on FortiSASE to make sure the data rate is within limits.
  9. Run a packet capture using Wireshark or other network analyzer tools looking for errors or packet loss.
    It is also possible to capture a report and the configuration from the FortiSASE side using the FortiGate support tool. See Troubleshooting Tip: GUI slowness and errors via FortiGate Support Tool
  10. Additionally, it is possible to capture the client diagnostic tool output, but this is only useful if the issue is on the client side and not on the FortiSASE side. See the diagnostic tool documentation.

 

Related article:

Technical Tip: How to check interface bandwidth utilization in the GUI

Labels:
200
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.