Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mick
New Contributor

Site to Site IPSec VPN slow file transfer speeds.

Site to Site IPSec VPN Gateway using two Fortigates. Branch has an 80E Firmware v6.0.2, Headquarters has a 300D Firmware v5.6.6.

 

Problem: End users reporting very slow file access from the fileservers located at headquarters.

File transfer speeds between the two sites averages 425 Kbps for Data only.

Should I expect better file transfer speeds between the two sites?

 

Note: VoIP works great. Speeds out to the Internet are great.

VoIP and Data are configured to use the same port on the Fortigate 80E.

 

I'm using Windows Explorer and copying a file from the (Windows 2016 Server) fileserver to the desktop (combo of Win7 and Win10 pro) to test the file transfer speeds.  Iperf between the two sites using the default settings for TCP.  I didn't change the Window size. Average speed was between 2 to 3 Mbps. Ftp'ed between the two sites average speed was 1.5 to 2.0Mbps.

Distance between Branch and HQ 34 miles.

 

Branch has 30 pc's and 30 VoIP phones. 30 Employees, rarely has more than 10 employees at a time using their pc's.

 

80E Spec sheet notes Gateway to Gateway IPSec VPN Tunnels 200 I'm guessing they mean 200Mbps. IPSec VPN Performance test used AES256 and SHA256. We're using 3DES SHA1

 

I'm using the document at this link as a guide for troubleshooting. https://forum.fortinet.com/tm.aspx?m=151195

Thanks to Toshi Esumi

 

Branch ISP Router settings 400Mbps Download, 20Mbps upload. Headquarters 250Mbps Upload and Download. Duplex is Full.

Internet Speedtest done using www.speedtest.net - This site has two options Multi and Single. Branch - Multi - 420Mbps Download 22Mbps Upload - Single 255Mbps Download 14Mbps upload. Headquarters - Multi - 102Mbps Download 160Mbps Upload - Single 81Mbps Upload - 169Mbps Download.

 

Fortigates Speed and Duplex set to Auto Auto 1GB Full Duplex. Cisco Switches are also set to Auto Auto 1GB Full Duplex

Checked Speed and Duplex for mismatches between the Fortigates, and the switch. There are none. ISP rep's state there are no errors on router interfaces. Checked Fortigate Interfaces for errors, there are none. Checked desktops and fileserver interfaces for errors there are none. I've thought about hard coding the speed and duplex on the interfaces, but we have no crc, tx, rx errors.

 

Ran continous ping checks between the public and private interfaces. Looking for dropped packets, there were none. Ran Tracert from both ends, no drops.

 

Setup folder and shared them on two laptops. Put a laptop at each end of the campus.  Copied files between them, speeds are great.  20mb file copies between the two laptops in 5 to 7 seconds.

 

FortiAnalyzer I see some ip-conn and client-rst and server-rst records in the logs for traffic between the desktops and the fileserver.

 

 

Surf the Internet for Fortinet and slow SMB IPSec file transfer speeds and you come up with a lot of hits. Here's a few other links that mention slow ipsec vpn speeds. One has claims that a bug is the problem.

[link]https://forum.fortinet.com/tm.aspx?m=154946[/link]

[link]https://forum.fortinet.com/tm.aspx?m=172121[/link]

[link]https://forum.fortinet.com/tm.aspx?m=166340[/link]

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_80E_Series.pdf

 

What other steps can\should I take to troubleshoot the problem? If you need additional information please let me know.

 

Thanks for your time.

12 REPLIES 12
ede_pfau
Esteemed Contributor III

First, I'd upgrade to v6.0.5 and v5.6.8 (not v5.6.9) to make sure you get most of the bug fixes.

 

Then, as the branch line is asymmetric I wonder if the upload speed throttles the download. SMB is a LAN protocol and a pita on WAN. With a continuous ping, if the RTT goes up 10fold during an SMB transfer then it's the upload speed issue.

 

To eliminate the VPN you could set up a second FGT on site (via patch cable), create a IPsec VPN to HQ and then transfer via SMB. That should give you almost wirespeed (for iperf) and some 50% for SMB, or even less. Now you can see how much the protocol is taking away from line speed.

There are 2 more pitfalls I can think of:

1- the IPsec is not offloaded to the SP (NP6). In FortiView, you can see 'all sessions', in one column there will be a ASIC icon if the session is offloaded. If not, the CPU of the 80E will limit throughput a lot.

2- you would have mentioned if you had an AV profile on the policies for SMB, wouldn't you? SMB AV still is, er, in the first stages and not yet fully optimized, if ever. Run without any UTM profiles.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Mick
New Contributor

@Ede

 

#1 Fortiview – All Sessions – Source column – There are no Icons – I’m not sure of what the ASIC icon looks like.  I’ve googled “Fortinet and Fortigate ASIC icon or image but I’m not finding it.  Isn't the Fortigate configured to offload to the SP (NP6) by default?

 

#2 No UTM profiles are in play.

 

>>To eliminate the VPN you could set up a second FGT on site

We don't have a second Fortigate on hand.

 

>>With a continuous ping, if the RTT goes up 10fold during an SMB transfer then it's the upload speed issue.

You mean run a continuous ping from the Fortigate to the file server. While copying a file from the file server.

Is this correct?

 

>>First, I'd upgrade to v6.0.5 and v5.6.8 (not v5.6.9) to make sure you get most of the bug fixes.

I can upgrade the branch to v6.0.5.  The HQ I'd have to setup a maintenance window.  Why not upgrade HQ to v6.0.5 as well, is v5.6.8 more stable?

Mick
New Contributor

Update

I created a shared folder on my pc at HQ.  I also setup a shared folder on another Win2016 server that's not heavily used.

From my laptop at the Branch back to my desktop at HQ.  I average between 3 to 4 Mbps using Windows Explorer to transfer the file.

To the fileserver I'm still averaging about 400Kbps.  I'm using the same file.  I expected to see better speeds from this other file server because it's not used as much as the first one.  Idea's or suggestions appreciated.

emnoc
Esteemed Contributor III

I would ensure the tcp.mss value are set to a respectable value. A pcap will probably show re-transmits and this will greatly impact your  thru-put

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

Mick
New Contributor

@Ken,

 

The tcp.mss value is set to 1300.

mb23531
New Contributor

Hi,

 

I had a slow site to site VPN for a while after upgrading from a 200D to 200E (other end was a 90D) but only in one direction. Both sites has 100Mbps internet but upload from the 200E was only going around 20-40Mbps over the VPN.

 

After a lot of troubleshooting and reading documents, the issue for me was down to setting inbandwidth and outbandwidth on the WAN interfaces. From the Hardware Acceleration manual, "Configuring outbandwidth traffic shaping imposes more limiting than configured, potentially reducing throughput more than expected". As soon as the values were unset, the speed of the VPN is now almost 100Mbps again

 

I'm not sure if this will apply to you but I have seen posts with slow VPNs and this is not mentioned.

 

Regards

 

Martin

Mick
New Contributor

@Martin,

 

Thanks for the feedback.  I've not seen that mentioned either.

Mick
New Contributor

@Martin,

 

No joy, mine are set to 0 and 0.  Still a handy hint though.  Thanks

Toshi_Esumi
Esteemed Contributor II

By now, you probably exhausted options we can suggest without touching it, including iperf test. It's time to open a ticket for TAC to look into it directly.