Dear community,
We have a x16 vCPUs FortiGate VM establishing a GRE tunnel over IPSEC with a Cisco device from a cloud provider.
Cloud Provider guarantee up to 10Gbit/s on each tunnel.
So, we tried 2 IPERF benchs :
When FortiGate decrypt with "set ipsec-soft-dec-async enable" option enabled we reach approx. 5 Gbit/s
When FortiGate encrypt, only one vCPU is used at 100% and we only reach 0.8Gbit/s
What could we do to distribute the load on multiple vCPU and reach 5Gbit/s ? Or even 10 Gbit/s ?
We tried FortiGate on both KVM and ESXI and the issue is the same.
Thanks
It's possible that the performance issue you are experiencing with GRE over IPSEC encryption is related to the FortiGate's hardware resources, specifically the CPU.
You mentioned that the FortiGate is a VM with 16 vCPUs, but it's possible that the hypervisor is not allocating the necessary CPU resources to the FortiGate VM. You may want to check the hypervisor's CPU allocation settings to ensure that the FortiGate VM has access to the required number of CPUs to handle the traffic.
Another potential issue could be related to the encryption algorithm and key size being used. If the FortiGate is using a high-strength encryption algorithm with a large key size, this could cause a significant increase in CPU usage and impact performance. You may want to try adjusting the encryption settings to use a weaker algorithm or smaller key size to see if this improves performance.
Additionally, you may want to check the FortiGate's IPSec settings to ensure that they are optimized for performance. For example, you can try enabling "IPSec offloading" to allow the FortiGate to offload some of the encryption processing to the network interface card (NIC).
Lastly, it may be helpful to contact Fortinet support to see if they can provide additional guidance or suggest any specific configuration changes that could improve performance for your specific use case.
Well then thanks for your answer.
About the NPU, are you sure that this not something restricted to physical appliance ?
I tried to activate on my VM but my tunnel stays with "npu_flag=00"
he NPU (Neural Processing Unit) is a hardware component that is typically found on physical devices, such as Huawei's Ascend series of processors. It is designed to accelerate the performance of machine learning and artificial intelligence applications.
If you are using a virtual machine, it is unlikely that you have access to a physical NPU, which could be why you are seeing the "npu_flag=00" message. However, there may be other ways to optimize the performance of machine learning applications on a virtual machine, such as using GPU acceleration.
If you need further assistance with this issue, I recommend looking into the documentation or support resources for the specific software or platform you are using.
Not a solution, but may be worth reading - https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/kvm-administration-guide/801469/enh...
Otherwise, I'd open a ticket with TAC for this, as I don't see any command that would distribute encryption between multiple CPUs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.