Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maraica
New Contributor

Slow internet speed & file sharing while connected to VPN

Hi Everyone, 

 

We have a SSL VPN for our corporate users on a Fortigate 5001V (daily average users 10-15).  Everyone internet speed slows down as soon as they connect to vpn.  Below are some examples of speed test without and with vpn.  Please let me know if this is normal expected behavior slow down or if there is something that we can do to improve the situation.  I can also provide tracert if need be.  We do have a manage network so I do not full cli access to the blade, but I can pass any recommendation to our manage provider company:

 

The issue is more significant and a pain point when users map a server shared folder and they try to save or dowload the file.  The VPN blade is in the west coast and most share folders are also in the west coast.  I do expect some slowness while updating huge excel files in the NY shares drive folders.  Our typical time from vpn or from mpls is always consistent at 75ms from LA to NY (while on vpn or mpls is always at around 73ms), so I think the culprit could be the fortinet 5001v.  

 

 

100/100  -> on vpn 20/10

300/20  -> on vpn 30/3

70/10 -> on vpn 15/2

175/5 -> on vpn 15/5

 

thank you

 

Manuel

2 Solutions
hubertzw

By this hardware specification FG-5001E devices has 9Gbps throughput for SSL VPN.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

You shouldn't have any problems with the platform. What is the software version?

View solution in original post

hubertzw
Contributor III

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/acceleration-overview.htm

View solution in original post

13 REPLIES 13
hubertzw
Contributor III

I understand you compare the Internet speed between their own Internet connection in their locations, not Internet available from the location where FortiGate is installed, correct?

 

Can you verify the device model? FortiGate has some 5k models but I don't see 5000v. Is it physical appliance or VM?

maraica

Yes, these are remote users joining the ssl vpn mostly from home.  

 

It is the 5000 series in LA datacenter.  It is a physical appliance.  We rebooted last night to see if things improved but no luck!

FortiGate® 5000 Series Solution Scalable Data Center and Carrier-Graded Security Systems

 

I will verify the specific model

 

thanks

hubertzw

By this hardware specification FG-5001E devices has 9Gbps throughput for SSL VPN.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

You shouldn't have any problems with the platform. What is the software version?

maraica

I am awaiting response from our Manage provider company as I do not have access to the appliance.

 

thanks

 

maraica

It is It’s a 5001b on v5.2.11 firmware

hubertzw

Do you have any security profiles attached to the SSL VPN firewall policies?

maraica

Yes, we do.  We are doing split traffic.  All egress/ingress traffic traverses the blade for security.  We do not want the users to just be able to open to any website and bring some malware in (we do content filtering as well)

 

hubertzw

I think you can't compare speed of the user's local Internet access with VPN connection which is inspected. Your model is huge and should be fast enough for your ~20 users. I don't have experience with this model to say more. Maybe someone on the forum can share her/his experience with model 5000, or maybe you can talk with Fortinet TAC and specify what security profiles are attached, maybe you do ssl full inspection,etc. Remember you can't offload proxy inspections to FortiASICs, all is done on CPU.

maraica

It is not so much the speed comparison, but the actual upload/download is slower.  I do not expect to have a 100 @ home and have 80 on VPN.  As long as my end users can function normally, I am not concerned about the speed. 

Here is something weird..

 

on MPLS/WAN From HQ to NY server, I get 65 ms - file download a 80 mb file is 10 seconds

on VPN and I can ping NY at 70 ms - file download a 80 mb files is 3 minutes

*** note that ms difference is not an issue, but look at the time difference on download

 

- I know ping uses icmp instead of udp or tcp, but the time difference in download does not make sense even if it is using tcp/ip

 

thanks

 

 

Labels
Top Kudoed Authors