We are having some throughput problems between two Fortinet devices.
We have a 100D connected to a 60E over an IPSEC tunnel. The traffic seems to stagger around ~200Mbps even though we have a direct Gbps fiber connection.
Somewhere, it feels like a limitation of sorts. Any setting that could give this behaviour, or could it be that the 100D is simply too old for these speeds?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
vpn imply an overhead over the "pure" speed of a link. It is normal that a device cannot do a full link speed over vpn channel.
to do a full speed vpn connection you need specific processor/device (more expensive that a 100D)
hope this helps.
ps. you can see your vpn limit on the forti 100D docs. (consider even the other traffic that pass through the wan you are using...the "tube" is the same and it is shared)
for example a 110C have a 100Mbit limitation over vpn.
a 100D is granted for 300Mbit over ipsec vpn but you have to consider the slowest link, in this case the 60E that is granted for 150Mbit. You are lucky because you are slightly over performance.
my best
I'm not sure where you got those values, but in the datasheet these are listed:
FortiGate 60E: IPsec VPN Throughput (512 byte) - 2 Gbps
FortiGate 100D: IPsec VPN Throughput (512 byte) - 380 Mbps
Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance
1- for testing, reduce the IPsec parameters to AES128 and SHA1
these are guaranteed to be handled in hardware (SHA384 for ex. is not)
2- no UTM whatsoever in the tunnel policy (as this will involve the CPU)
This should give you fully accelerated IPsec. The weak link is the 100D. Consider buying a second 60E and finance it through the reduced service contract costs.
heisenberg wrote:Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance
Well, I need to figure out what might be the cause and make actions against it :) 380 is almost double the speed is absolutely a better number.
I see that both 100D and 60E has 200 Mbps "Threat Protection Throughput", but how do I verify if that is enabled or not?
Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration.
toshiesumi wrote:Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration.
Sorry I wasn't clear enough about it. The connection is a leased fiber connection, going straight from one firewall to the other, not over the internet, etc.
Then why do you need a VPN over a point-to-point dedicated/private circuit?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.