Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN performance and latency
I am having trouble with throughput and the SSL VPN on both Windows and Mac clients.
Latency from the client to the Fortigate is about 30ms with bandwidth in both directions of at least 10mbps.
Starting with the Mac, I can achieve full expected performance when using the native IPsec client, at least 10mbps in either direction. When using the SSL VPN client (version 4.4.2287), I cannot achieve more than 3-4mbps in either direction. Oddly enough, performance seems to be better with an older client (4.0.2138) but it' s a bit flaky with Mountain Lion.
With Windows, the situation is a bit different. First, when connecting locally over the internal gigabit network (with near-zero latency), performance easily exceeds 10+ mbps. I verified through trace routes, the route table, and Task Manager that tested traffic was indeed flowing through SSL VPN. This tells me that the underlying hardware is capable. However, when testing from off-site (at least 10mbps and 30ms latency), the performance changes. From the client' s perspective, the download rate through SSL VPN is about 10mbps (good, expected). The upload is the problem in that it cannot exceed about 2mbps. I have tried older clients and the latest (2287) but the results are the same. It seems that the increased latency is the contributing factor. I then re-tested from another location with similar bandwidth but with latency of about 60ms. In this case, the upload rate fell to about 1mbps. Given that the SSL VPN uses TCP, my guess is that there' s an issue with TCP window scaling of the SSL VPN connection itself, especially when the client is sending data to the Fortigate.
Has anyone else been able to achieve better performance on either Mac or Windows SSL VPN clients? My clients need good throughput in both directions from Internet-based sources where latency far from zero.
My testing has included Windows 7 (using an older Pentium M and a Core i7 dual-core) and a Macbook Air late-2010 model running both Snow Leopard and Mountain Lion. Transfer tests included iperf (tcp and udp modes), SMB, SMBv2, speedtest.net (and similar tools hosted by the ISP). Two different Fortigates were used (80C and 200B), both running 4.3.12.
Thanks!
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that the remote connections you are testing from have at least 10 Mbps in each direction?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Absolutely, 10mbps at least in both directions for all locations.
I should clarify that I fully control the remote end points and verified that there was no other competing traffic that would skew the results.