- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec High Latency optimizations
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec High Latency optimizations
Hi everyone,
We currently have two offices one in USA and one in Europe both of which have FortiGate 60F.
They are tunneled with IPSec and the bandwitdh using single iperf3 stream is extremely slow at 10Mbps but when using 10 parallel stream it is around 65Mbps.
The office in Europe has 1Gbps download and 400Mbps upload while office in USA has 300Mbps for both download and upload.
If you need any information to help me with the problem and to help me optimize the bandwidth between two offices, I will provide it.
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your diagnostic outputs provide some valuable insights into the issues. Here's a breakdown of potential causes and solutions:
### 1. **MTU Differences**:
The `dst_mtu` value for the US FortiGate is 1500, while for the Europe FortiGate, it's 1492. MTU mismatch can cause fragmentation, which may lead to performance issues.
**Solution**:
- Standardize the MTU value on both ends to ensure that they match.
- Use the `ping` command with the "Do Not Fragment" bit set to determine the maximum MTU size that can traverse the VPN without fragmentation.
### 2. **NPU Offload**:
The NPU (Network Processing Unit) offloads processing from the main CPU, offering better performance for specific tasks, like VPN traffic handling. The US FortiGate is offloading to the NPU (`npu_flag=03`), while the Europe FortiGate is not (`npu_flag=00`).
**Solution**:
- Make sure the configurations are indeed identical. Some specific configurations, like using certain security profiles, can prevent NPU offloading.
- Ensure the FortiGate in Europe has the necessary hardware (NPU) and it's functioning correctly. You might need to contact Fortinet Support for a deeper diagnosis.
### 3. **Latency**:
While 148ms latency might be stable, it's still relatively high, especially for real-time applications. However, for regular data transfer, it should be fine as long as it's consistent and there's no packet loss.
### 4. **Firmware Version**:
Both devices are running v6.4.14 build2093, which is good for consistency. However, there might be known issues or bugs in this specific build that affect VPN stability or performance.
**Solution**:
- Consider checking Fortinet's documentation or support forums to see if there are known issues with this firmware version related to VPNs.
- Consider upgrading to a newer firmware version if available, after checking its release notes and ensuring it doesn't introduce new issues.
### Additional Steps:
1. **Re-check Configurations**: Even if the configurations seem identical, double-check VPN configurations, especially advanced settings, to ensure they match.
2. **Physical Layer**: Check the physical connections, including cables and interfaces, for any signs of issues.
3. **Logs**: Examine the FortiGate logs around the times of disconnections. They might provide more insights into the reasons behind the drops.
4. **Diagnostics**: Run diagnostic commands (e.g., `diagnose debug application ike -1`) to get more detailed information about the VPN process.
Lastly, if the issue remains unresolved, consider reaching out to Fortinet Support for a more in-depth analysis. They can provide specific guidance tailored to your setup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using multiple iperf3 streams the bandwidht goes up to 150Mbps, while still when using one stream it is at 10Mbps at most. How should I approach tuning MTU Size
- « Previous
-
- 1
- 2
- Next »
Related Posts
- how fortigate SD-WAN ensure both sites... 179 Views
- Load Balance over IPSec Tunnels within... 299 Views
- SDWAN between Fortigate and Forti PoP 408 Views
- How to Optimize BGP Route Switching... 4887 Views
Labels
-
FortiGate
6,649 -
FortiClient
1,326 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
419 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
156 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.