Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: IPSec VPN Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN Issue
Hi, I’m running into a strange issue with an IPsec tunnel to a Cisco firewall and I’m hoping someone can help.
The tunnel comes up fine and traffic does pass through, but the connection slows down significantly. For example:
- If I ping 8.8.8.8 directly from an end-user machine, the replies are just a few ms.
- If I ping a remote address over the tunnel, the latency jumps to about a second.
- Even pinging the remote VPN gateway itself shows very high delay. As soon as I bring the tunnel down, latency immediately improves to under 10 ms.
Setup details:
- Both the Internet and VPN zones share the same physical interface on the firewall (different VLANs) and use the same ISP.
- I don’t believe the issue is on the remote side, because if I establish same tunnel to the same remote gateway from a different firewall, it works normally.
So far, I’ve tried flushing the tunnel on both ends, but that didn’t help.
Does anyone know which commands I could run to troubleshoot this further, or what else I should be checking?
Thanks
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daryaya,
It's worth checking the MSS size so as to isolate if fragmentation is causing the delay. Have you tried disabling NPU and test? Pls help review the below docs for your reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-NP6-Out-of-order-packets/ta-p/312315
Atul Srivastava
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. I have disabled NPU offload, but this did not improve the latency. I considered packet fragmentation as a possible cause and tested using ICMP with the DF bit set and a reduced MTU; however, the delay remained consistently high. Regarding running below debugs, could you please advise what they might prove?
diagnose npu np6 port-list
diag npu np6 dce <id>
diag npu np6 pdq <id>
diag npu np6 register <id>
diag npu np6 sse-stats <id>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daryaya,
If the issue still remains after adjusting MSS and disablng NPU, pls consider retest with TCP-MSS clamping applied and perform a single-stream iPerf test. If possible, the testing should be done using Linux clients/servers to avoid potential discrepancies introduced by Windows iPerf auto-window handling.
Configure server-client set up for the iperf test as below:
At Fortigate side:
-----------------
Step 1:
-Visit the link https://iperf.fr/iperf-download.php and download iperf software at the destination server
-Now locate the directory path(something like c:\users\name\onedrive\desktop\name) where you have saved the downloaded iperf files(I would recommend to place the files inside a folder) and copy the path.
-Go to command prompt and run the following:
cd <directory path> iperf3.exe -s //hit enter.
At Cisco side :
--------------
Step 1:
-Visit the link https://iperf.fr/iperf-download.php and download iperf software at the source machine
-Now, locate the directory path(something like c:\users\name\onedrive\desktop\name) where you have saved the downloaded iperf files(I would recommend to place the files inside a folder) and copy the path.
-Go to command prompt and run the following:
cd <directory path> iperf3.exe -c x.x.x.x //hit enter. x.x.x.x is the destination server IP address at FGT.
cd <directory path> iperf3.exe -c x.x.x.x -R //hit enter.
Step 4: On Fortigate
a)
# diag traffictest server-intf <tunnel interface> <----- Define server port.
# diag traffictest client-intf port1 <----- Define the port from where source is coming
# diag traffictest run <----- Run iPerf3.
b)
# diag traffictest server-intf <tunnel interface>
# diag traffictest client-intf <tunnel interface>
# diag traffictest port 5209
# diag traffictest run -c y.y.y.y //where y.y.y.y is the src IP behind Cisco
# diagnose traffictest run -R -c y.y.y.y -p 5209
# diagnose traffictest run -c y.y.y.y -u
For your query related to the NP commands, below are the explaination:
diagnose npu np6 port-list- This command shows the list of ports on the NP6 processor. It can help verify if the correct ports are being used and if there are any configuration issues.
diag npu np6 dce <id>- This command displays the number of dropped packets for the selected NP6 processor. It can help identify if packet drops are contributing to the latency issue.
diag npu np6 pdq <id>- This command shows packet buffer queue counters. It can help determine if there are any queuing issues that might be causing delays.
diag npu np6 register <id>- This command shows NP6 registers. It is typically used for low-level diagnostics and might be more useful for Fortinet support or developers to identify hardware-related issues.
diag npu np6 sse-stats <id>- This command shows hardware session statistics counters. It can help identify session-related issues, such as session offloading problems, which might be affecting performance.
All the above commands helps identify any botleneck situation for the traffic flow.
Atul Srivastava
Labels
-
FortiGate
10,770 -
FortiClient
2,198 -
FortiManager
902 -
5.2
687 -
FortiAnalyzer
687 -
5.4
638 -
FortiSwitch
595 -
FortiClient EMS
578 -
FortiAP
568 -
IPsec
442 -
6.0
416 -
SSL-VPN
390 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
184 -
FortiGuard
160 -
5.0
152 -
Firewall policy
147 -
FortiGate-VM
139 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
114 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
91 -
Customer Service
88 -
FortiProxy
79 -
SAML
77 -
ZTNA
77 -
Routing
76 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
BGP
72 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
RADIUS
64 -
LDAP
63 -
FortiLink
59 -
SSO
57 -
FortiSandbox
55 -
NAT
55 -
FortiExtender
52 -
VDOM
50 -
4.0MR3
49 -
Interface
49 -
Application control
48 -
Virtual IP
44 -
FortiDNS
43 -
Logging
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
SSL SSH inspection
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Traffic shaping
26 -
Static route
26 -
Fortigate Cloud
25 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSoar
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiEdge Cloud
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.