Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Christian_89
Contributor III

IPSEC VPN Very SLOW

hello together

I have the following problem
over IPSEC VPN the file transfer to a share is very slow.
We are talking about 1mbits to about 25mbits.
The file size is between 500mb and 5000mb.

The local breakout are no problems only via IPSEC I have the problem

From the outside locations (100F each) it goes to the HQ (FortiVM02).

Each remote site is connected with 1000 mbit synchronously.

All Forti have 7.2.3 in use.

IPSEC
Are connected with
IKEv2
AES 256 and SHA 521 in both phases and DH 21 also in both phases.

 

1 Solution
Christian_89

I have found the problem.

It was on the switches LACP was set up but only used one interface so there was performance degradation.

View solution in original post

9 REPLIES 9
ezhupa
Staff
Staff

Hello Christian, 

Can you try lowering the proposals to aes128-sha256 and test if there is any change? 

Try also to disable replay under the phase 2 configuration and testing again. 

 

If there are any UTM profiles enabled on the policies configured on IPSEC traffic try disabling and then test again. 

 

Christian_89

I have already adjusted Propsal. but did not bring any improvement
because Replay I have not yet adjusted will still make and give you feedback.
UTM I have no active

Christian_89

I have made the adjustment and deactivated the replay.
It did not bring any improvement.

ezhupa
Staff
Staff

You can also use the commands in the below KB to troubleshoot speed or bandwidth issues:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-speed-or-bandwid...

ConnyGustavsson
New Contributor III

This could be caused by payload fragmentation. If traffic is TCP; try manipulate the TCP-MSS on the firewall policy that match this traffic. Do this on both sides of the tunnel.

# config firewall policy
edit <policy id>
tcp-mss-sender <mss value>
tcp-mss-receiver <mss value>

I usually test 1300 Bytes for VPN traffic. 

cogus
cogus
Christian_89
Contributor III

Unfortunately I have not yet been able to achieve a need pairs increase.
With iPerf test I get so on 110-150Mbps. UDP is no problem, I get 850-980 Mbps.

Christian_89
Contributor III

Do you have any infoDo you have any info

fdqueiroz
New Contributor

I have the same problem.

Christian_89

I have found the problem.

It was on the switches LACP was set up but only used one interface so there was performance degradation.

Labels
Top Kudoed Authors