Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdaniels
New Contributor

Ipsec Site 2 Site VPN - slow performance and malformed packets (Wireshark)

Hi folks,

I have got a IPSEC Site 2 Site VPN between 2 Fortigate Appliances:

 

1x Fortigate 60D connected to the Internet 12/12 Mbit: v5.0,build0310 (GA Patch 11)

1x Fortigate 100D connected to the Internet 20/20 Mbit: v5.0,build0310 (GA Patch 11)

 

We have got a Database Application running which transfers a small amount of data through the tunnel (a few MB for login for example). Although the speed of the connection is not that slow, it lasts 2 minutes until we get the loginscreen.

 

So I started Wireshark and got the following capture (log.jpg).

 

Really don't know why there are malformed packets with IPA Protocol (192.168.10.248 is the databaseserver IP). Is Wireshirk missinterpreting the protocol eventually?

 

VPN Phase 1:

Remote Gateway static IP Mode: Main

Preshared Key

Accept any peer ID

Enable IPSec Interface Mode: NO

IKE Version 1

P1 Proposal 1 - Encryption AES 256 Authentication SHA1

DH Group 5

Keylife 28800

Xauth Disable

NAT Traversal Enable

Keepalive Freq. 10

 

VPN Phase 2: P2 Proposal 1 - Encryption AES256 Authentication SHA1

Enable Replaydetection YES

Enable prefect forward secrecy PFS YES

DH Group 5

Keylife Seconds 1800

Auto Keep Alive Enable

Quick Mode Selector Source and Destination Adress specified

 

I have no idea what is causing the slow down... :(

 

Any hints are welcome!

 

Daniel

 

 

 

 

10 REPLIES 10
emnoc
Esteemed Contributor III

Have you tested other tcp based applications for slowness? IPA runs over tcp so if you suspect it and vpn peformance test other tcp based applications ( telnet, ftp, ssh, etc,,, )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cgasser
New Contributor

I'm having the same problem. We just have other encryption settings (3DES / MD5). Performance is very slow (less than 3 MBit; and we have 30 MBit symetric WAN connection).

 

Anyone any idea? What to do? How to find the reason?

 

BR C

mas1971
New Contributor III

Nice Thread.

 

We just connected one Fritzbox 7490 (FW6.30) site to site with FG 60D FW 5.2.3 #670, IPSEC 3DES-SHA1 Tunnel.

Internet is: 200down/25up on FG60D and 50down/10up on Fritzbox. Files should downloaded at Fritzbox.

 

We know max Performance on Fritzbox is about 20Mbit with Site to Site VPN Tunnel.

The Performance (File Copy with to Windows PC) is aktually "only" 6Mbit in both directions.

Sequential Read :     0.688 MB/s, Sequential Write :     0.615 MB/s

I would prefer the Performance should be 20 Mbit (Upload on FG60D and Download on FB 7490) and about 10 Mbit in the other way. Without VPN the speed is nearby maximum Line Speed.

 

At FG 60D no UTM Profiles are currently used. Only one Policy for the VPN Tunnel.

So is this possible, that FG60D has such a poor VPN IPSEC Performance?

Any ideas for better performance?

 

Thx Martin

Best wishes out of Germany
Best wishes out of Germany
mas1971
New Contributor III

help by my self:

 

change phase1 and phase 2 encryption from 3DES to AES256 an the performance rices double!

 

Now, i get 1,3 Mbyte/sec Windows to Windows File Exchange Performance (about 10 Mbit) in both directions.

Best wishes out of Germany
Best wishes out of Germany
howardsinc
New Contributor

Regarding the Malformed packets. I have troubleshot this before and this was due to our Geo redundant platform setup. Where 2 mirror Fortigates one active and one standby controlled by BGP fail over. The standby peer had auto-negotiate on for the phase 1 which causes it to actively reach out to the remote peer to establish the phase1 connection, which was undesirable. This essentially causes the phase1 not to come up, which the errors being Malformed packets. I have also seen it on when the remote peer was a SonicWall and the PSK had a mismatch.

 

Regarding performance, try turning off the reply detection on your phase2, this will auto-enable the npu offload. When on you have to manually enabled the feature.

 

config system npu     set enc-offload-antireplay enble     set dec-offload-antireplay enable     set offload-ipsec-host enable end

====and make sure=====

config firewall policy edit 0 set auto-asic-offload enable end

next, Regarding performance, I have troubleshot some ERP Database applications through a VPN with poor performance. The fix to that issue was to increase the session TCP TTL to be like 8+ hours, you can set this for particular ports also.:

 

config system session-ttl     set default 28800 end

 

I hope this helps

 

good luck

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
vjoshi_FTNT
Staff
Staff

Yes, I agree with the previous post.

 

Offloading the VPN traffic to NP should increase the performance.

 

On the new versions, disabling the replay detection is the only thing needed. However, on the earlier firmware versions, you need to set the local-gw as the WAN IP in phase1 setting as well.

 

Hope that helps

discoscott
New Contributor III

Any better if you use IKEv2 ?

mas1971
New Contributor III

discoscott wrote:

Any better if you use IKEv2 ?

There is no support for IKEv2 on Fritzbox in the moment

Best wishes out of Germany
Best wishes out of Germany
emnoc
Esteemed Contributor III

I would look at the crypto status and validate that noting is process switch via software;

 

e.g

diag vpn ipsec status

 

In my experience, various  ciphers offer a slight improvement over others. You would be best to test this in a control lab using a set packet size and with udp and once again with  iperf/jperf or similar if you want to gain ever inch of performance out of your ipsec tunnels.

 

BTW: I'm really surprised that fritzbox didn't have  ikev2 support. I would thought the 7490s would have it by now.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors