Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fback
New Contributor

Limited speeds when accessing subnet from outside work (FTP/VPN)

Hey everyone, first time posting !

 

I would need help, my situation is that we have a subnet on a DMZ with a single PC holding our Filezilla FTP server. 

 

Capture.JPG

 

When I connect from the domain, I can pull 1,000mbps (100mo/s) from this pc. When I connect from outside using either the VPN or Filezilla, every connection is limited to 50mbps (5mo/s). 

When I am connected to the VPN and try to download files from the domain server, I also get this same cap on speed.


I have checked EVERYWHERE, nothing is limited. I know there is something because the same user downloading a file from the FTP server will get 5mo/s and if the user starts a second download, the speed for each files becomes 2.5mo/s.

But at the same time, monitoring the FTP pc shows me not even 5% of the network bandwith is used.

 

One of my guess is the switch connected to the DMZ port. It is an unmanaged Trendnet switch with loads of camera plugged in.

 

Anything would be helpful, 

Thank you !

8 REPLIES 8
gfleming
Staff
Staff

Need some more info:

 

  1. What model of Fortigate?
  2. Do you have any other speed issues when transferring data between interfaces on the FortiGate (for example from LAN to WAN)?
  3. Do you have any security profiles applied to the WAN<->DMZ firewall policy?
  4. When you connect from FileZilla are you over the VPN or is it a direct connection using VIP?
Cheers,
Graham
fback
New Contributor

Hey there GFleming, thank you for taking some of your time to help me.

 

-    I have a Fortigate 80E

-    LAN to WAN works full speed (Max 100mo/s from the NIC bottleneck of 1gbps)

-    I do have some security activated and applied to the WAN - DMZ

FTP-IN.png

FTP-OUT.png

-    When trying to download on Filezilla I get the same slow speeds using VIP/VPN (5mo/s). (I assumed when mentionning VIP that you are talking about connecting to the FTP using the credentials created in Filezilla server ?)

gfleming

OK sounds like an issue that is isolated to the outside network. Have you confirmed it's not an issue with the outside network?

Do you get slow speeds when connecting to VPN or FTP VIP from a different ISP?

If you do a speedtest from the FileZilla server does it give you full speed?

Cheers,
Graham
fback
New Contributor

Issue with the outside network :

I tested from another employee's home (we both have above 120mbps connections up/down) and I experienced the same thing : Downloads capped at 50mbps. Starting a second download splits the speed 25mbps/25mbps. We have different ISPs (Bell /Vmedia) with reasonable ping (14ms)

 

Speed test results from the computer running the FTP on the subnet :

 

Speedtest_Subnet.JPG

So, normally the max I could download from this PC would be it's "maximum upload bandwith", which is still above 200mbps if I am correct.

 

 

gfleming

OK and for the other question, If you do a speedtest from the FileZilla server does it give you full speed??

 

Also what are the ping times when you ping the IP address of the VPN or FileZilla server from the outside network?

Cheers,
Graham
fback
New Contributor

Sorry for the confusion Graham, 

 

The speed test I included above is done on the pc running the filezilla server application. So the answer to your question is : yes, the filezilla server is giving me full speed internet access.

I get ping time of around 34ms when connected to the VPN. I have no way of knowing the latency of filezilla FTP when downloading.

fback
New Contributor

As I said in my first post, this one really puzzle me.

 

When connected to the pc on the DMZ subnet (Running filezilla server) everything works fine.

I can even download from the FTP while on the LAN and I get the full 1,000mbps. 

 

No policy for restricting access anywhere, no hardware bottleneck. As you said, it only affect people outside our network.

Capture.JPG

Here is the graph for DMZ FTP. 5mbps vs 500mbps (Coming from LAN upload/download)

 

 

I am starting to have a look at the servers configuration. I noticed some of them are running SMB v2.1 which is pretty old. Could that affect something ?

Sans titre.png



 

gfleming

I'm confused what you're trying to show me with that graph. That looks like you are getting 800Mbps download on the FileZilla server. The inbound traffic is probably just TCP ACKs, etc and other overhead not necessarily showing an FTP download.

 

You are using FTP protocol right? Then it has nothing to do with SMB.

 

I think next step is to run a packet capture on an external client when downloading from the FileZilla server. I wonder if we are having MTU issues or packet loss or something else. Can you please run a packet capture and paste the output showing the initial handshake and the next 20-30 packets for the FTP session?

Cheers,
Graham
Top Kudoed Authors