Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
networkers
New Contributor II

Created on ‎05-09-2025 12:53 AM Edited on ‎05-09-2025 12:56 AM

NP6: UDP throughput limitation?

Hello,

 

we´re experiencing lower download throughput when putting a wireguard vpn server behind a Fortigate 500E cluster:

 

  • [Wireguard client]-----[Internet/30ms]--------[Wireguard server]-----[FortiGate]------[SMB server] => ~ 42 MB/s
  • [Internet/30ms]--------[Wireguard client]-----[Wireguard server]-----[FortiGate]------[SMB server] => ~ 42 MB/s
  • [Wireguard client]-----[Internet/30ms]-------[Wireguard server]-----[SMB server]----[FortiGate] => ~ 42 MB/s
  • [Internet/30ms]--------[Wireguard client]-----[Wireguard server]-----[SMB server]----[FortiGate] => ~ 42 MB/s
  • [Wireguard client]-----[Internet/30ms]--------[FortiGate]------[Wireguard server]-----[SMB server] => ~ 10 MB/s
  • [Internet/30ms]--------[Wireguard client]-----[FortiGate]-------[Wireguard server]-----[SMB server] => ~ 10 MB/s

 

- Setup:
Fortinet 500E cluster (active/passive)
FortiOS 7.4.7
Wireguard with UDP
client downloads 20GB file from SMB server
all server with public IP, no NAT

 

- policy flow based

config firewall policy
edit 1
set name "wireguard"
set srcintf "WAN"
set dstintf "x2"
set action accept
set srcaddr "all"
set dstaddr "wireguard-server"
set schedule "always"
set service "udp-51820" "icmp_all"
set profile-protocol-options "NoProxy"
set ssl-ssh-profile "no-inspection"
set logtraffic disable
set auto-asic-offload disable
set np-acceleration disable
next
end

 

- As you can see we already disabled "auto-asic-offload" and "np-acceleration". When enabling those download reaches a maximum of 6 MB/s.

- No traffic shapers activated.

- set ssl-ssh-profile "no-inspection" so nothing gets checked

 

As traffic always passes the NP6 I am asking myself whether there is a kind of limitation regarding UDP traffic?

 

fffea411975e36902ce7f5fbfca3fbe7_FG-500E-Front

Labels:
229
0 Kudos
1 REPLY 1
BillH_FTNT
Staff
Staff

Created on ‎05-09-2025 02:18 PM

Hi Networkers,

When enabling offloading, please help to execute the list of commands below multiple times. Please share the output to my official email bhoang@fortinet.com.

I will check the logs for your case. Thanks

 

diag npu np6 sse-stats 0
diag npu np6 session stats 0
diag npu np6 hrx-drop 0
diag npu np6 ipsec-stats
diag npu np6 dce 0
diag npu np6 pdq 0
diag npu np6 xgmac-stats 0
diag npu np6 gmac-stats 0
diagnose npu np6 anomaly-drop-all 0
diag npu np6 session-dump 0 0
fnsysctl cat /proc/net/np6/hif-stats
fnsysctl cat /proc/net/np6/fos-perf
fnsysctl cat /proc/net/np6/pdq
fnsysctl cat /proc/net/np6/sse-hw
diag cp soc4 vpn-stats 0

 

Regards

Bill

 

194
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.