Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem of bandwidth
Hi All,
My Forti product is a FortiWifi 60C (v4.0,build0656,130211 (MR3 Patch 12)).
Just one vdom (root).
I have 2 software switchs :
- switch_data from interna1 to internal5 ;
- switch_wan from wan1 to wan2.
On each interface :
- internal1 : device in 1Gbps ;
- internal2 and 3 : devices in 100Mbps ;
- internal4 and 5 : free ;
- wan1 : my ISP router in 1Gbps ;
- wan2 : device in 1Gbps ;
- dmz : not used ;
- two Wifi interfaces : one secure and one in captive portal (5GHz band).
All the firewall policies are UTM features enabled (AV, Application, Web Filter).
There are 10 policies.
My ISP offers a bandwidth in fiber with a bandwidth of 200Mbps.
When I connect my laptop in Ethernet directly on the ISP router (1Gbps), a speedtest result to Internet is 190Mbps.
When I connect the same laptop on the internal4 (all the others devices are off), a speedtest result is about 10 at 15Mbps.
Same result if I disable all the UTM features.
Other test : on internal1, the device is now up (in 1Gbps). I do some speedtest with iperf between internal1 and internal4 (all the others devices are always down) : the result is the same as WAN test through FortiWifi.
Someone can help me to diagnose this problem ?
Regards,
Heodrene
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you check your cpu usage when speedtest is running?
are you using PPPoE connection(VDSL2)??
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Storaid,
In GUI or in CLI mode (with get system top) ?
Not PPOE interface used on the FortiWifi.
My Internet connection isn' t a xDSL technology but fiber optic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I connect my laptop in Ethernet (1Gbps) on internal4.
1) With UTM profiles enabled, Speedtest gives 9.75MBps.
" diag sys top" displays high CPU usage for four processes :
- ssl ;
- proxyworker ;
- ipsengine ;
- scanunitd.
2) Without UTM profiles enabled, Speedtest gives 70MBps.
" diag sys top" doesn' t display any prrocess with high CPU usage but the bandwidth is still low.
3) Directly on the ISP router, Speedtest gives 190Mbps.
I' m disapointed... :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure the FGT and the ISP modem have the correct duplex and speed settings when installed?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think so :)
Fortinet, result of " get system interface physical" for wan1 :
==[wan1]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: up
speed: 1000Mbps (Duplex: full)
No ip because wan1 is in a software switch (with wan2).
On ISP router :
port : ethernet 4
mode : 1000
state : true
auto configuration : Auto
maximum speed : 1000
duplex mode : Full
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I use Speedtest and Iperf for WAN tests and only Iperf on my LAN.
I used this evening an other FWF60C with same version and same configuration, same results.
We can observe :
- without FWF (directly on the ISP router or a dedicated switch), the bandwitdh is OK ;
- with FWF without UTM profils, only the upload bandwidth is OK, download falls ;
- with FWF with UTM profils, both upload and download significantly fall.
On the other hand, I proceeded to a simultaneous packet capture on the laptop and FWF and then I opened them in Wireshark , I noticed the following thing :
- laptop : packets seems clean ;
- FWF : lots of DUP ACK packets
I searched on the KB Fortinet about DUP ACK but I find nothing. :(
I opened a support ticket 10 days ago, I just receive an answer today with this KB : http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33312
Hummmmmmmmm.... OK, so what about LAN ? I opened this ticket not because Speedtest gave me bad results but because all others applications are became very slow through Fortinet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
remove software switch, disable all UTM features and try again...
in fact, software switch can impact the I/O performance..
because these packets from software switch interface can NOT be handled by hardware FortiASIC(fast-path).
if you enable the following features, the NPU acceleration will be lost:
1. UTM features
2. software switch
3. QoS features
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Storaid,
Good job soldier !
I did a factory reset, I just configured WAN1 interface, one Policy.
Below 3 tables :
- first : results before factory reset with my FWF60C ;
- second : results with an other FWF60C and the same configuration as above ;
- third : result with my last configuration without software switches :
NB : the UTM speedtest is low because AV is enabled. When you read FWF60C datasheet, you notice the AV throughput is 20Mbps in proxy-based (versus 40Mbps in flow based). So, this result is not an issue, it' s " by design" . If I disable AV feature, the speedtest is better (about 135 - 155Mbps). In this case, this is the IPS throughput that limits my bandwidth.
Thanks a lot for everybody
Heodrene