S2S VPN Traffic from a 1GB WAN Interface to a 10GB LACP LAN Interface Slow

jbcg · ‎06-03-2024

Hi,

I have two FG201F FortiGate devices connected via an IPsec tunnel, both running firmware version 7.0.15. The latency between the two FortiGates is approximately 17ms. The VPN's are configured in an SDWAN.

Here is the problem:

Server-A, located behind FG-A, needs to communicate with Server-B, which is located behind FG-B. FG-B uses an aggregated port combining interfaces X1 and X2, both of which are 10GB interfaces.

When Server-A communicates with Server-B through the aggregated interface, the connection speed is only 20-30 Mbps. However, if I move the VLAN of Server-B to a non-aggregated port, such as Port 2 (which is a 1GB interface), the traffic speed increases significantly to 600-800 Mbps.

Both interfaces are connected to a Dell N4032F stacked with an N4032. On the switch, the configuration is a simple port channel in active mode.

It's noteworthy that if you connect from a server behind Port 2 (FG-B) to the VLAN behind the aggregated interface (also FG-B), you nearly achieve the full 1GB bandwidth.

Any idea what i did wrong?
The Problem must be a combination of the WAN Interface and the LACP but i cant figure out why.
I ruled the S2S VPN already out since it is working with the non LACP Port.

Below the netlink diag

funkylicious · ‎06-03-2024

Hi,

Your problem sounds like a issue that should of been solved in 7.0.15 ( 910829 , https://docs.fortinet.com/document/fortigate/7.0.15/fortios-release-notes/289806/resolved-issues ) and in 7.2.8 .

If you have a active support contract, I would suggest opening a TAC case for this.

---------------------------
geek
---------------------------

View solution in original post

jbcg · ‎06-03-2024

Just checked the mtu's as well:
MTU's are 1500 on every Interface and the S2S has a dst-mtu=1500 / SA: mtu=1438

------------------------------------------------------
name=S2S ver=1 serial=3 FG-A:0->FG-B:0 tun_id=FG-B tun_id6=::FG-B dst_mtu=1500 dpd-link=on weight=1
bound_if=7 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=33433503 txp=216373747 rxb=37139969499 txb=30713390709
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=26
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=S2S proto=0 sa=1 ref=519 serial=3 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
SA: ref=6 options=18227 type=00 soft=0 mtu=1438 expire=24688/0B replaywin=2048
seqno=1d1188a esn=0 replaywin_lastseq=016f68dc qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42899/43200
dec: spi=8d17e097 esp=aes key=32 ~key~
ah=sha256 key=32 ~key~
enc: spi=b92c0180 esp=aes key=32 ~key~
ah=sha256 key=32 ~key~
dec:pkts/bytes=33433645/37140125644, enc:pkts/bytes=216532126/30853494665
npu_flag=03 npu_rgwy=FG-B npu_lgwy=FG-A npu_selid=4 dec_npuid=1 enc_npuid=1
run_tally=0
------------------------------------------------------

funkylicious · ‎06-03-2024

Take a look at, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Known-Issue-Decreased-Throughput-whe...

---------------------------
geek
---------------------------

funkylicious · ‎06-03-2024

Hi,

Your problem sounds like a issue that should of been solved in 7.0.15 ( 910829 , https://docs.fortinet.com/document/fortigate/7.0.15/fortios-release-notes/289806/resolved-issues ) and in 7.2.8 .

If you have a active support contract, I would suggest opening a TAC case for this.

---------------------------
geek
---------------------------

jbcg · ‎06-04-2024

Thank you for your help!
I will open a TAC case and upgrade one of the firewalls to version 7.2.8 to see if the problem persists.