Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FG60E - FG60E IPSec Tunnel Slow

Hi everybody,


our Site2Site IPSec VPN Tunnel between two FTG-60E on 5.4.4 is slow and I have run out of stuff to try.


Both Sites are connected via Gbps Fiber Internet. Iperf3 to a public Iperf Server gave 600+ Mbps results on both ends. So we know our Internet uplinks are good. But our IPSec Tunnel tops out at 130-ish Mbps.


I have tried from tips I read in various places:

 - deleted the udp-dns session helper thingie

 - took all internal1-8 out of the internal hardware switch

 - tried different enc algos

 - set local-gw



here the sanitized relevant parts of the config from MainSite FTG-60E


config system npu
    set enc-offload-antireplay enable
    set offload-ipsec-host enable

config system interface
    edit "wan1"
        set vdom "root"
        set ip a.a.a.a
        set allowaccess ping ssh
        set type physical
        set estimated-upstream-bandwidth 1000000
        set estimated-downstream-bandwidth 1000000
        set role wan
        set snmp-index 1
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip a.a.a.b

    edit "internal1"
        set vdom "root"
        set ip p.p.p.p
        set allowaccess ping https ssh
        set type physical
        set snmp-index 11

config vpn ipsec phase1-interface
    edit "VPN-BRN-LSN"
        set interface "wan1"
        set local-gw a.a.a.a
        set peertype any
        set comments "VPN: VPN-BRN-LSN (Created by VPN wizard)"
        set remote-gw f.f.f.f
        set psksecret ENC secretsauce

config vpn ipsec phase2-interface
   edit "VPN-BRN-LSN"
        set phase1name "VPN-BRN-LSN"
        set proposal aes256-sha256
        set dhgrp 14
        set comments "VPN: VPN-BRN-LSN (Created by VPN wizard)"
        set src-subnet p.p.p.p
        set dst-subnet q.q.q.q


and here some diag output from the same 60E:


diagnose vpn ipsec status
All ipsec crypto devices in use:
        null: 0 0
        des: 0 0
        3des: 0 0
        aes: 1682560 1894400
        aes-gcm: 0 0
        aria: 0 0
        seed: 0 0
        null: 0 0
        md5: 0 0
        sha1: 6784 8192
        sha256: 1675776 1886208
        sha384: 0 0
        sha512: 0 0
        null: 0 0
        des: 0 0
        3des: 0 0
        aes: 33331 0
        aes-gcm: 0 0
        aria: 0 0
        seed: 0 0
        null: 0 0
        md5: 0 0
        sha1: 544 0
        sha256: 32754 0
        sha384: 0 0
        sha512: 0 0
        null: 0 0
        des: 0 0
        3des: 0 0
        aes: 20 32
        aes-gcm: 0 0
        aria: 0 0
        seed: 0 0
        null: 0 0
        md5: 0 0
        sha1: 1 2
        sha256: 18 30
        sha384: 0 0
        sha512: 0 0
        null: 0 0
        des: 0 0
        3des: 0 0
        aes: 0 0
        aes-gcm: 0 0
        aria: 0 0
        seed: 0 0
        null: 0 0
        md5: 0 0
        sha1: 0 0
        sha256: 0 0
        sha384: 0 0
        sha512: 0 0

get system npu
enc-offload-antireplay: enable
dec-offload-antireplay: enable
offload-ipsec-host : enable

diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=VPN-BRN-LSN ver=1 serial=3 a.a.a.a:0->f.f.f.f:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu
proxyid_num=1 child_num=0 refcnt=20 ilast=13 olast=13 auto-discovery=0
stat: rxp=1715632 txp=1911092 rxb=833611779 txb=1426710396
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1101
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-BRN-LSN proto=0 sa=1 ref=5 serial=1
  src: 0:p.p.p.p/
  dst: 0:q.q.q.q/
  SA: ref=6 options=2e type=00 soft=0 mtu=1438 expire=11928/0B replaywin=1024 seqno=29811 esn=0 replaywin_lastseq=00025e80
  life: type=01 bytes=0/0 timeout=43174/43200
  dec: spi=257f4fb4 esp=aes key=32 secretsauce
       ah=sha256 key=32 secretsauce
  enc: spi=8574257e esp=aes key=32 secretsauce
       ah=sha256 key=32 secretsauce
  dec:pkts/bytes=155266/49170368, enc:pkts/bytes=173054/97413586
  npu_flag=03 npu_rgwy=f.f.f.f npu_lgwy=a.a.a.a npu_selid=0 dec_npuid=1 enc_npuid=1


kinda all looks as it should be to me.


I can post the same info for the other FGT-60E if needed. Or any other output or config parts....


any help greatly appreciated


Throwing my 50 cents in ;) Got 2x 50Es 5.4.4 (one just upped to 5.4.5) with a tunnel up, 1Gbps fiber one end and a 120x25 cable on the other end. Best I can do upload on fiber is 45Mbps. Now Here's the crazy part- I tried an SSLVPN from a laptop on the gig fiber side hitting the cable 50E and I was getting the full 125M up! This is well above the 100M limit on the 50E PDF for SSLVPN! And I don't know the real limit because I was hitting the remote circuits download limit. Tried all the usual- MTU, disable enable offload, various SHA & DH & AES combos no luck. Support is shooting in the dark.

Does the 50E have ASIC? How high is the 50E CPU usage during your 45 Mbps?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+

The 50E does have an ASIC but I don't think it has the full hardware enc-dec capabilities of the 60 and later, since its only rated for 200Mbps IPSEC throughput vs 1Gbps (60D/E) per the flawed datasheets.


CPU is low during transfers, maybe 5-10%. If offload is disabled then it jumps to about 40-45%.


Hey all,


Jumping into this thread.  We have exact setup as OP here with two 60E's over a 1Gbps private p2p line.  When encryption is enabled (offload disabled because of Win 2012/ECN issue) we get about 100 Mbps tops.  That's with AES256/SHA1 on phase1 and AES256/SHA256 on phase 2.   But when we take the traffic off the tunnel and just route between the two 60E's, we get near 800 Mbps.  Significant.


We are going to upgrade to 5.4.5 and enable the ASIC offloading, hopefully the 2012 ECN works.  But maybe we'll also move phase2 to AES256/SHA1 as it seems that is supported for offloading.




That's going to be very disappointing if the 60E doesn't offload SHA256.  Our VPN throughput is abysmal because of SHA2 between all our D-series stuff.  We've  received a bunch of 100E/200E equipment for various larger sites, but had hoped to use the 60E for small sites to resolve this issue.  Have not yet deployed any of it...

New Contributor II

Have you tried to use less secure proposals for the phase 2 ? 


So the upgrade to 5.4.5 fixed both the Windows 2012 ECN issue and we are getting good throughput with AES256/SHA256 with NPU offloading.


Can't believe that worked haha.




I want to dig up this case since we got a set of demo 60Es and put in iperf test-bed in our lab:

test-serverA<->FG60E(wan1)<- IPsec ->(wan1)FWF60E<->test-serverB

And if we broke the internal (hard-switch) interface to single internalx interfaces, TCP test shows 800-900Mbps since that's about the max performance of ServerA<->ServerB. But if we don't break the hard-switch, we got 300-350Mbps.

Does anyone got a similar test result?


what OS version? per my previous post I was getting around 700 Mbps with iperf.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+

Sorry I forgot that important info. Both FG/FWF60E are running 5.4.8.

Check out our Community Chatter Blog! Click here to get involved
Top Kudoed Authors