Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
New Contributor III

Poor VPN Performance

We’ve got a FortiGate 101F running the latest FortiOS 7.2.1 and are experiencing poor VPN performance.  Clients are running the latest FortiClient 7.07.0345 pushed out by EMS.  The office has a solid 100 Mbps connection (both directions upload and download).  At home I’ve got a 300 Mbps Down/20 Mbps Upload internet connection.  Clients are running Windows 11.

 

I’ve been testing both IPSec and SSL VPN connections to the FortiGate and the results are dismal.  During testing I’m not applying any of the UTM security profiles to the traffic.  DNS is resolving fine while connected remotely and latency while connected remotely to the file server is about 32 ms, which doesn’t seem to bad (internally its < 1ms).  When I’m the only user in the office connected via VPN and copying files from the office to my client I’m getting the following results:

 

For SSL, I’m only averaging about 20 Mbps download.  I’ve already got DTLS enabled on both the FortiGate and Client.

 

For IPsec, surprisingly, the results are even worse.  I only average about 9 Mbps download.

I understand there should be some loss, but these results are terrible.  Anyone have some settings that I could try to help this out?

9 REPLIES 9
FortiNet_Newb
New Contributor III

I know this won't help IPSec, but how do I confirm that DTLS is working?  If I capture packets on the WAN interface originating from my remote clients IP address, I only see TCP Packets on port 443 and no UDP packets.

 

If I use the command diagnose debug application sslvpn -1, there is no mention of DTLS anywhere in those results.

 

Any insight would be appreciated.

gfleming

Are you seeing any fragmentation in your pcap on the VPN client?

Cheers,
Graham
FortiNet_Newb
New Contributor III

Looking at the pcap on the client, it looks like the "Don't fragment" flag is set on all of the TLSv1.3 traffic sent to the Fortigate and the Fragment Offset is 0 on all of the TCP packets sent back to the client.

FortiNet_Newb
New Contributor III

DTLS is now working on our SSL VPN connection, performance is now where it should be.  With it working, I’m now seeing 85 Mbps instead of 20 Mbps.  UDP on port 443 was being blocked upstream from our office so it was defaulting back to TCP.  Once they allowed UDP on 443 to pass DTLS kicked in without issue.

 

 

I’ll look into our IPSec issue later this week as it seems to have resolved itself at the moment.  When they made the changes upstream for the SSL DTLS, for whatever reason our IPSec connection is now also seeing 85 Mbps download.  Not sure what changed, I’ll test again once there is more office traffic to inspect.

FortiNet_Newb

I may have jumped the gun in thinking DTLS was the answer.  With DTLS enabled (and now working) the internet speed tests (in full tunnel) went from 20 Mbps up to 85 Mbps, but this morning I was testing moving files across and with DTLS enabled the files are transferring to the client at around 12-14 Mbps, if I disable DTLS they transfer at @ 30-55 Mbps.  So while DTLS made a HUGE difference in a basic internet speed tests, ordinary file transfers between the LAN and remote client are MUCH slower.  I've gone back and disabled DTLS for now.

gfleming

I wonder if you're just hitting limits with the SMB protocol. It does not handle latency very well. If you are running SMBv2 you can try tuning it or try running SMBv3 as it works a bit better with latency.

 

Before doing that, however, can you do some other speed testing methods? What about setting up iperf or some other mechanism to see what raw data transfer speeds look like over the VPN.

Cheers,
Graham
FortiNet_Newb

Graham,

Running iperf with the default settings. I'm only seeing 10.6 Mbps over the SSL VPN w/o DTLS and 10.7 Mbps over SSL VPN w/DTLS.

FortiNet_Newb

Sorry, I'm new to iperf.  Reading more the previous results make since as that is the upload speed (of my home internet connection).  Running it with the -R switch (download speed) I'm seeing 28.5 Mbps over the SSL VPN w/o DTLS and 31.5 Mbps w/DTLS.  Not sure why these are so low.

gfleming

Set up iperf (traffictest) on the FortiGate and see what you get over the internet from home without using the VPN.

 

You'll have to set up your device at home as an iperf server as the iperf on FortiGate does not work in server mode. Also you'll need to run iperf3.

 

Try it out and see how fast the actual raw internet link is between you and your Fortigate. Refer to "2) TCP/UDP traffic test against an iPerf server." at this link:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-cases-for-diagnose-traffictest-command...

Cheers,
Graham