Hi, I’m running into a strange issue with an IPsec tunnel to a Cisco firewall and I’m hoping someone can help.
The tunnel comes up fine and traffic does pass through, but the connection slows down significantly. For example:
Setup details:
So far, I’ve tried flushing the tunnel on both ends, but that didn’t help.
Does anyone know which commands I could run to troubleshoot this further, or what else I should be checking?
Thanks
Hi Daryaya,
It's worth checking the MSS size so as to isolate if fragmentation is causing the delay. Have you tried disabling NPU and test? Pls help review the below docs for your reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-NP6-Out-of-order-packets/ta-p/312315
Thank you for your response. I have disabled NPU offload, but this did not improve the latency. I considered packet fragmentation as a possible cause and tested using ICMP with the DF bit set and a reduced MTU; however, the delay remained consistently high. Regarding running below debugs, could you please advise what they might prove?
diagnose npu np6 port-list
diag npu np6 dce <id>
diag npu np6 pdq <id>
diag npu np6 register <id>
diag npu np6 sse-stats <id>
Hi Daryaya,
If the issue still remains after adjusting MSS and disablng NPU, pls consider retest with TCP-MSS clamping applied and perform a single-stream iPerf test. If possible, the testing should be done using Linux clients/servers to avoid potential discrepancies introduced by Windows iPerf auto-window handling.
diagnose npu np6 port-list- This command shows the list of ports on the NP6 processor. It can help verify if the correct ports are being used and if there are any configuration issues.
diag npu np6 dce <id>- This command displays the number of dropped packets for the selected NP6 processor. It can help identify if packet drops are contributing to the latency issue.
diag npu np6 pdq <id>- This command shows packet buffer queue counters. It can help determine if there are any queuing issues that might be causing delays.
diag npu np6 register <id>- This command shows NP6 registers. It is typically used for low-level diagnostics and might be more useful for Fortinet support or developers to identify hardware-related issues.
diag npu np6 sse-stats <id>- This command shows hardware session statistics counters. It can help identify session-related issues, such as session offloading problems, which might be affecting performance.
All the above commands helps identify any botleneck situation for the traffic flow.
User | Count |
---|---|
2624 | |
1390 | |
804 | |
667 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.