Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chrisci
New Contributor

Very slow performance over IPv6

Hi all,

Recently I migrated to a new ISP, which supports IPv6. We've got 100MB fibre link.

Using IPv4 I can easily max it when downloading from ISP-provided test FTP server, but when using IPv6, I can barely get 400-500KB/s.

Testing with laptop plugged directly into ISP router shows max download, both for IPv4 and IPv6. Clearly, something must be off on the firewall, but after reviewing the config several times, switching off UTM features, etc, I can't find anything wrong.

I'm using Fortigate 100D, with 5.4 firmware.

My knowledge about IPv6 is rather poor, I know basics, but not much above that.

From the ISP, I got IPv6 range XXXX:XXXX:XXX5::/48, this was divided into /64 subnets, so on my LAN I have XXXX:XXXX:XXX5:1::/64.

Can you please confirm whether this is good or bad approach?

In the IPv6 policy I have simple access rule for LAN, without NAT.

Can you guys give me some hints where should I look to amend this situation? I opened a case with Fortinet, but my experience is not very good and I somehow doubt they will be very helpful.

Any input appreciated,

Chris 

3 REPLIES 3
FortiRack_Eric
New Contributor III

It's quite normal to divide a /48 into /64 segments. Check your routing table. and verify that you can ping the hops. 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
emnoc
Esteemed Contributor III

Do you have  off-loading enabled or disable for the ipv6 policies?

 

 set auto-asic-offload enable|disable

 

We had a ticket open a few years back with the same issues of  poor performance with a 3040 but nothing was ever figured out. I wish you luck but check the ipv6 .

 

 

btw, The whole /64 is designed around that's the minimum  subnet size and SLAAC requires it.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
chrisci
New Contributor

Many thanks for your replies.

I tried to change auto-asic-offload, but apparently 100D model doesn't have NPs, the command is unavailable. I had another serious conversation with my ISP tech support, they admitted that *maybe* there are some things in the routing settings which are not optimal.

I suspect the problem might be related to the fact that I have redundant link to two ISPs and they seems to have some issues talking to each other. 

Labels
Top Kudoed Authors