iperf3 allows you to run several sessions in parallel to find the true maximum throughput between two sites. You can even try to send your traffic with a higher TCP Window size and that should also improve throughput assuming there is no loss on the link.
From the above issue description, as I can understand that you are facing download and upload slowness issues within the IPSEC tunnel.
Can you please provide below information: 1. Rough network topology 2.Tunnel name
3.Try disabling, auto-asic offload from the firewall policy and disabled npu offload from phase1 of the ipsec tunnel
4.Try to lower the MTU size and MSS size in interface and firewall policy respectively. 5. Please run Iperf test from the from client machine and attach the output. 6. Try disabling UTM profiles and certificate inspection for testing purpose. 7. May, i know if traffic shaping has been configured, If yes, then try disabling it for testing purpose and check for the bandwidth.
Contrary to @chauhans opinion, I would deduce that the tunnel traffic does not use offloading and thus is slowed down by the (meager) SoC CPU of the 60F. This would be the case if any UTM is in use, in proxy mode, like AV.
Try to see the sessions into the tunnel: select the relevant policy, right-click to 'see in FortiView', select 'all sessions' tab and observe if (most of) the sessions are offloaded.
If not, strip the policy of all UTM for testing.
If so, too bad. Might be a MTU issue then.
I've seen some 60Fs in real networks, none of which exhibited excessively slow IPsec throughput.
The situation you're experiencing, where a single stream is slow but multiple streams are faster, is quite common when dealing with high latency networks like transcontinental IPsec VPNs. The issue often lies with the TCP window size, which is the amount of data that can be "in flight" on the network before an acknowledgment is received.
High latency networks require a larger TCP window size to fully utilize the available bandwidth. If the window size is too small, the sender will stop sending data and wait for an acknowledgment, leading to underutilization of the available bandwidth.
Here are some steps you can take to improve the performance:
### 1. **Enable TCP Window Scaling**
On the systems sending and receiving data over the VPN, ensure that TCP window scaling is enabled. This allows the systems to use a larger TCP window size, which can improve performance on high latency networks.
### 2. **Adjust MTU Size**
The MTU size on the VPN tunnel can also affect performance. If the MTU size is too large, packets might need to be fragmented, which can reduce performance. If it's too small, the overhead of the IPsec encapsulation could take up a larger proportion of each packet. You could experiment with different MTU sizes to see if this improves performance.
### 3. **Enable VPN Performance Features**
On the FortiGate devices, make sure that you're using performance-enhancing features, such as: - **Hardware acceleration**: If your FortiGate model supports it, ensure that IPsec hardware offloading is enabled to improve performance. - **NPU acceleration**: Similarly, if your FortiGate has network processing units (NPUs), you can use them to accelerate IPsec traffic. - **IPsec interface mode**: In interface mode, the FortiGate unit can use NPUs to offload flow-based and proxy-based security profiles, reducing CPU usage.
### 4. **Use Multiple VPN Tunnels**
If your FortiGate model supports it, consider setting up multiple VPN tunnels and using load balancing to distribute traffic across them. This could potentially allow you to utilize more bandwidth.
### 5. **Upgrade FortiGate Firmware**
Ensure that your FortiGate devices are running the latest firmware, as newer versions may include performance improvements or bug fixes that could help with your issue.
### 6. **Contact Fortinet Support**
If you've tried everything and are still experiencing issues, consider reaching out to Fortinet Support. They may be able to provide additional insights or suggestions tailored to your specific setup.
Remember, network performance tuning can be a complex process and the best settings often depend on the specifics of your network and the systems you're using. It's always a good idea to make changes incrementally and monitor the results to understand the impact of each change.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.