Problem of bandwidth

Heodrene · ‎04-17-2013

Hi All, My Forti product is a FortiWifi 60C (v4.0,build0656,130211 (MR3 Patch 12)). Just one vdom (root). I have 2 software switchs : - switch_data from interna1 to internal5 ; - switch_wan from wan1 to wan2. On each interface : - internal1 : device in 1Gbps ; - internal2 and 3 : devices in 100Mbps ; - internal4 and 5 : free ; - wan1 : my ISP router in 1Gbps ; - wan2 : device in 1Gbps ; - dmz : not used ; - two Wifi interfaces : one secure and one in captive portal (5GHz band). All the firewall policies are UTM features enabled (AV, Application, Web Filter). There are 10 policies. My ISP offers a bandwidth in fiber with a bandwidth of 200Mbps. When I connect my laptop in Ethernet directly on the ISP router (1Gbps), a speedtest result to Internet is 190Mbps. When I connect the same laptop on the internal4 (all the others devices are off), a speedtest result is about 10 at 15Mbps. Same result if I disable all the UTM features. Other test : on internal1, the device is now up (in 1Gbps). I do some speedtest with iperf between internal1 and internal4 (all the others devices are always down) : the result is the same as WAN test through FortiWifi. Someone can help me to diagnose this problem ? Regards, Heodrene

storaid · ‎04-17-2013

could you check your cpu usage when speedtest is running? are you using PPPoE connection(VDSL2)??

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Heodrene · ‎04-18-2013

Hi Storaid, In GUI or in CLI mode (with get system top) ? Not PPOE interface used on the FortiWifi. My Internet connection isn' t a xDSL technology but fiber optic.

Heodrene · ‎04-18-2013

I connect my laptop in Ethernet (1Gbps) on internal4. 1) With UTM profiles enabled, Speedtest gives 9.75MBps. " diag sys top" displays high CPU usage for four processes : - ssl ; - proxyworker ; - ipsengine ; - scanunitd. 2) Without UTM profiles enabled, Speedtest gives 70MBps. " diag sys top" doesn' t display any prrocess with high CPU usage but the bandwidth is still low. 3) Directly on the ISP router, Speedtest gives 190Mbps. I' m disapointed... :(

rwpatterson · ‎04-18-2013

Are you sure the FGT and the ISP modem have the correct duplex and speed settings when installed?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Heodrene · ‎04-19-2013

I think so :) Fortinet, result of " get system interface physical" for wan1 : ==[wan1] mode: static ip: 0.0.0.0 0.0.0.0 ipv6: ::/0 status: up speed: 1000Mbps (Duplex: full) No ip because wan1 is in a software switch (with wan2). On ISP router : port : ethernet 4 mode : 1000 state : true auto configuration : Auto maximum speed : 1000 duplex mode : Full

Heodrene · ‎04-23-2013

Hi, I use Speedtest and Iperf for WAN tests and only Iperf on my LAN. I used this evening an other FWF60C with same version and same configuration, same results. We can observe : - without FWF (directly on the ISP router or a dedicated switch), the bandwitdh is OK ; - with FWF without UTM profils, only the upload bandwidth is OK, download falls ; - with FWF with UTM profils, both upload and download significantly fall. On the other hand, I proceeded to a simultaneous packet capture on the laptop and FWF and then I opened them in Wireshark , I noticed the following thing : - laptop : packets seems clean ; - FWF : lots of DUP ACK packets I searched on the KB Fortinet about DUP ACK but I find nothing. :( I opened a support ticket 10 days ago, I just receive an answer today with this KB : http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33312 Hummmmmmmmm.... OK, so what about LAN ? I opened this ticket not because Speedtest gave me bad results but because all others applications are became very slow through Fortinet.

storaid · ‎04-23-2013

remove software switch, disable all UTM features and try again... in fact, software switch can impact the I/O performance.. because these packets from software switch interface can NOT be handled by hardware FortiASIC(fast-path).

if you enable the following features, the NPU acceleration will be lost: 1. UTM features 2. software switch 3. QoS features

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

Heodrene · ‎04-25-2013

Hi Storaid, Good job soldier !

I did a factory reset, I just configured WAN1 interface, one Policy. Below 3 tables : - first : results before factory reset with my FWF60C ; - second : results with an other FWF60C and the same configuration as above ; - third : result with my last configuration without software switches : NB : the UTM speedtest is low because AV is enabled. When you read FWF60C datasheet, you notice the AV throughput is 20Mbps in proxy-based (versus 40Mbps in flow based). So, this result is not an issue, it' s " by design" . If I disable AV feature, the speedtest is better (about 135 - 155Mbps). In this case, this is the IPS throughput that limits my bandwidth. Thanks a lot for everybody

Heodrene

Problem of bandwidth

Nominate a Forum Post for Knowledge Article Creation