Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: IPSec VPN Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN Issue
Hi, I’m running into a strange issue with an IPsec tunnel to a Cisco firewall and I’m hoping someone can help.
The tunnel comes up fine and traffic does pass through, but the connection slows down significantly. For example:
- If I ping 8.8.8.8 directly from an end-user machine, the replies are just a few ms.
- If I ping a remote address over the tunnel, the latency jumps to about a second.
- Even pinging the remote VPN gateway itself shows very high delay. As soon as I bring the tunnel down, latency immediately improves to under 10 ms.
Setup details:
- Both the Internet and VPN zones share the same physical interface on the firewall (different VLANs) and use the same ISP.
- I don’t believe the issue is on the remote side, because if I establish same tunnel to the same remote gateway from a different firewall, it works normally.
So far, I’ve tried flushing the tunnel on both ends, but that didn’t help.
Does anyone know which commands I could run to troubleshoot this further, or what else I should be checking?
Thanks
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daryaya,
It's worth checking the MSS size so as to isolate if fragmentation is causing the delay. Have you tried disabling NPU and test? Pls help review the below docs for your reference:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-NP6-Out-of-order-packets/ta-p/312315
Atul Srivastava
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. I have disabled NPU offload, but this did not improve the latency. I considered packet fragmentation as a possible cause and tested using ICMP with the DF bit set and a reduced MTU; however, the delay remained consistently high. Regarding running below debugs, could you please advise what they might prove?
diagnose npu np6 port-list
diag npu np6 dce <id>
diag npu np6 pdq <id>
diag npu np6 register <id>
diag npu np6 sse-stats <id>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Daryaya,
If the issue still remains after adjusting MSS and disablng NPU, pls consider retest with TCP-MSS clamping applied and perform a single-stream iPerf test. If possible, the testing should be done using Linux clients/servers to avoid potential discrepancies introduced by Windows iPerf auto-window handling.
Configure server-client set up for the iperf test as below:
At Fortigate side:
-----------------
Step 1:
-Visit the link https://iperf.fr/iperf-download.php and download iperf software at the destination server
-Now locate the directory path(something like c:\users\name\onedrive\desktop\name) where you have saved the downloaded iperf files(I would recommend to place the files inside a folder) and copy the path.
-Go to command prompt and run the following:
cd <directory path> iperf3.exe -s //hit enter.
At Cisco side :
--------------
Step 1:
-Visit the link https://iperf.fr/iperf-download.php and download iperf software at the source machine
-Now, locate the directory path(something like c:\users\name\onedrive\desktop\name) where you have saved the downloaded iperf files(I would recommend to place the files inside a folder) and copy the path.
-Go to command prompt and run the following:
cd <directory path> iperf3.exe -c x.x.x.x //hit enter. x.x.x.x is the destination server IP address at FGT.
cd <directory path> iperf3.exe -c x.x.x.x -R //hit enter.
Step 4: On Fortigate
a)
# diag traffictest server-intf <tunnel interface> <----- Define server port.
# diag traffictest client-intf port1 <----- Define the port from where source is coming
# diag traffictest run <----- Run iPerf3.
b)
# diag traffictest server-intf <tunnel interface>
# diag traffictest client-intf <tunnel interface>
# diag traffictest port 5209
# diag traffictest run -c y.y.y.y //where y.y.y.y is the src IP behind Cisco
# diagnose traffictest run -R -c y.y.y.y -p 5209
# diagnose traffictest run -c y.y.y.y -u
For your query related to the NP commands, below are the explaination:
diagnose npu np6 port-list- This command shows the list of ports on the NP6 processor. It can help verify if the correct ports are being used and if there are any configuration issues.
diag npu np6 dce <id>- This command displays the number of dropped packets for the selected NP6 processor. It can help identify if packet drops are contributing to the latency issue.
diag npu np6 pdq <id>- This command shows packet buffer queue counters. It can help determine if there are any queuing issues that might be causing delays.
diag npu np6 register <id>- This command shows NP6 registers. It is typically used for low-level diagnostics and might be more useful for Fortinet support or developers to identify hardware-related issues.
diag npu np6 sse-stats <id>- This command shows hardware session statistics counters. It can help identify session-related issues, such as session offloading problems, which might be affecting performance.
All the above commands helps identify any botleneck situation for the traffic flow.
Atul Srivastava
Labels
-
FortiGate
10,655 -
FortiClient
2,172 -
FortiManager
895 -
5.2
687 -
FortiAnalyzer
683 -
5.4
638 -
FortiSwitch
589 -
FortiClient EMS
567 -
FortiAP
562 -
IPsec
424 -
6.0
416 -
SSL-VPN
385 -
FortiMail
374 -
5.6
362 -
FortiNAC
288 -
FortiWeb
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
197 -
FortiAuthenticator
179 -
FortiGuard
160 -
5.0
152 -
Firewall policy
145 -
FortiGate-VM
134 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiToken
113 -
FortiGateCloud
112 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
86 -
FortiProxy
78 -
ZTNA
77 -
Routing
75 -
SAML
74 -
Fortivoice
73 -
DNS
72 -
VLAN
72 -
BGP
70 -
FortiEDR
69 -
FortiADC
68 -
Authentication
68 -
Certificate
66 -
RADIUS
61 -
LDAP
60 -
fortilink
57 -
SSO
54 -
NAT
54 -
FortiSandbox
53 -
FortiExtender
52 -
4.0MR3
49 -
vdom
47 -
Interface
46 -
Application control
46 -
FortiDNS
43 -
Logging
41 -
Virtual IP
41 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
SSL SSH inspection
36 -
FortiConnect
35 -
Web profile
35 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
28 -
Traffic shaping
26 -
API
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
Fortigate Cloud
23 -
System settings
22 -
WAN optimization
21 -
FortiMonitor
20 -
OSPF
20 -
Security profile
19 -
Web rating
19 -
FortiSoar
18 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
FortiAP profile
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2624 | |
| 1390 | |
| 804 | |
| 667 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.