Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
billsey
New Contributor

Internet performance with 30E running 6.0.2

I recently did the firmware upgrade from 5.6 to 6.0 and I'm seeing much poorer performance than before the upgrade. We've got a 25Mbps symmetrical feed over fiber and my total throughput has dropped to 10Mbps. When I bypass the FortiGate and connect directly to the fiber modem I get full speed with any of the speed tests. I don't remember making any changes other than the update and we've rebooted a couple of times. Does anyone have ideas on what's going wrong?

 

17 REPLIES 17
SecurityPlus
Contributor II

When you refer to a speedtest with 6.0.2 with the firewall in the circuit, are you using a browser speedtest using someone speedtest.net or are you referring to the Bandwidth window on the FortiGste GUI?
billsey

I've tried both. When going through the router just now speedtest.net gave: Ping ms 83 Download Mbps 7.21 Upload Mbps 9.43, note that there are other users getting a portion of the bandwidth, so this is expected to be lower than the 25/25 we get without the router. At the same time the bandwidth window is displaying a flat line near 10Mbps.

 

When testing directly connected to the fiber modem last week we saw the full 25/25 using speedtest.net. I hesitate to do that test very often since it takes the whole company down...

tanr
Valued Contributor II

Ping out to a nearby server was 83 ms through the FortiGate?

What was the ping going straight through the fiber modem?

billsey
New Contributor

I don't remember right off hand, 10ms or so... Ping Plotter is currently showing 1.2ms to the router and 407.8ms to a machine that's sitting on the same fiber modem (I have four static IPs on that modem). That does go through another 30E on the other side...

tanr
Valued Contributor II

That's pretty slow for a ping without much between the devices, though I don't know the 30E latency specs.

 

Are you getting some packet loss?  Maybe a speed/duplex mismatch between the FortiGate and modem?

 

See https://forum.fortinet.com/tm.aspx?m=164445 for someone running into something similar recently and http://kb.fortinet.com/kb/documentLink.do?externalID=10653 for speed/duplex checking.

 

billsey
New Contributor

Both the FortiGate and the fiber modem are at 1000Mbit full duplex. The cable run is all within the same room, under 20 feet in total. The fiber modem acts as a four port switch, the other device connected is fiber for several hundred feet (it's in a different building), then a fiber modem then the other 30E. Do I have visibility into packet loss through the web interface? I'm not seeing any stats at first glance through the GUI.

tanr
Valued Contributor II

To get a list of your interfaces (which will tell you that wan1 is actually port3, etc.):

    diagnose netlink device list 

 

To see statistics for a particular interface, which should show you the link speed and duplex and some of the counters for statistics:

    diagnose hardware deviceinfo nic <interface>

 

If you do see a bunch of dropped packets or link speeds that don't match, then you'll be a bit closer to the cause of the problem.

billsey
New Contributor

That first one is a bit hard to read since the number are so big. Counting right from 'bytes' and 'packets' for both Receive and Transmit show 0 errors and 0 drops on all active ports. The second command shows links as up, 1000, full on each port that's in use.

 

I did a show and captured the results into a text file. If there was something that was doing extra debug logging what would I search for in the file? I remember turning debug on and off while diagnosing VPNs but I believe I left them all in off states.

tanr
Valued Contributor II

What does the following show?

  config sys int

    edit <wan port>

      get | grep speed

 

If it is "auto" you might try "set speed 1000full".  I've run into some modems that didn't auto-negotiate well, especially those with SFP to Gigabit ethernet adapters.

 

Just in case you left any of the debug stuff on, you might want to do:

 

    diagnose debug disable      diagnose debug flow trace stop      diagnose debug flow filter clear      diagnose debug reset 

 

then run a quick speed test again.

 

 

Beyond that, I'm really not the one to ask about using diag debug flow, maybe others will chime in. 

One basic doc is http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882 which has some other references.

 

BTW, I'm quite interested in how this goes for you as I was supposed to order a 30E tomorrow to use in a small location that will need to handle 100/50 Mbps with UTM.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors