- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: SSL VPN poor speed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN poor speed
Hello,
we having trouble with throughput the SSL VPN on Windows Latency from the client to the Fortigate is about 20ms and bandwidth in Fortigate site is 1Gbps and client site is 100Mbbps First, when connecting locally over the internal gigabit network (with near-zero latency), performance easily exceeds about 60Mbps for download on the client. I verified through trace routes, the route table, and Task Manager that tested traffic was indeed flowing through SSL VPN. This tells me that the underlying hardware is capable. However, when testing from off-site (at least 100Mbps and 20ms latency), the performance changes. From the client' s perspective, the download rate through SSL VPN is about 13Mbps and the upload is the problem in that it cannot exceed about 2-3Mbps.It seems that the increased latency is the contributing factor. Given that the SSL VPN uses TCP, my guess is that there' s an issue with TCP window scaling of the SSL VPN connection itself, especially when the client is sending data to the Fortigate.
I tried disable all UTM, change IP on wan. wan has no errors, MTU 1500, speed 1GbitFD (fix).
Important: If I configured IPsec VPN and test it, throughput from the corporate LAN to the client is over 80Mbps on both sides. And also traffic to the internet (through the Fortigate, no split-tunnel) reaches maximum client line (about 90Mbps).
Has anyone else been able to achieve better performance on either Windows SSL VPN clients? Our clients need good throughput in both directions from corporate LAN and Internet-based sources where latency far from zero...
My testing has included Windows 7 and Windows 10 Transfer tests included iperf (tcp and udp modes), SMB, FTP, Speedtest.net (and similar tools hosted by the ISP). Fortigate 100D running on v5.4.3,build1111 and FortiClient 5.4.2.0860
config vpn ssl settings
set reqclientcert disable
set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 enable
set tlsv1-2 enable
unset banned-cipher
set ssl-big-buffer disable
set ssl-insert-empty-fragment enable
set https-redirect disable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "**********"
set algorithm high
set idle-timeout 0
set auth-timeout 28800
set tunnel-ip-pools "*********"
set dns-suffix "*******.local"
set dns-server1 172.22.91.100
set dns-server2 172.22.91.101
set wins-server1 172.22.91.100
set wins-server2 172.22.91.101
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set route-source-interface disable
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 443
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "wan1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "web-access"
set dtls-tunnel enable
set check-referer disable
set http-request-header-timeout 20
set http-request-body-timeout 30
config system interface
edit "wan1"
set vdom "root"
set mode static
set dhcp-relay-service disable
set ip ********* 255.255.255.240
set allowaccess ping https ssh snmp http fgfm
set fail-detect disable
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-redirect enable
set vlanforward enable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections disable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description "WAN"
set alias "WAN"
set security-mode none
set device-identification disable
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set vrrp-virtual-mac disable
set role wan
set snmp-index 2
set secondary-IP disable
set auto-auth-extension-device disable
set ap-discover enable
set fortilink disable
config ipv6
set ip6-mode static
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set ip6-address ::/0
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
set speed 1000full
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
We are faced with this problem from the beginning (I think FortiOS version 5.0) and we hope to improve with each new version of FortiOS or FortiClient :/ If anyone has any idea how this fix it, I will be grateful.
Thanks!
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Smartypants,
I had the same issue, between 2 fortigate site2site IPSEC, with fiber both side (100Mb for one and 1Gb the other), and i had poor transfer bandwidth.
What is your fortios build ?
For me, i was on 5.0 and just upgrading to 5.4 was enough to resolve this issue...
39 REPLIES 39
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still pending bugfix here,,,
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E /
100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
today - after Fortinet support recommendations - I made upgrade to the latest FortiOS 5.4.4 Based on the quick test I see little bit improvement! Please, if you have the opportunity, perform an update and let me know.
Thanks, Jirka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jirka,
We have replaced our 200D with an 300D with Forti OS 5.4.4 and we also see improvement but its still not optimal.
In the meanwhile our ticket is still in "Pending bug fix" state...
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E /
100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
Created on 04-10-2017 02:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any updates in tickets from somesone?
Here still pending Bug fix
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E /
100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If everyone has to migrate Fortigate 300/500 for using the full bandwidth we have, i think customer will spit on my face...
especially when we look at datasheet for 100D for example.
SSLVPN throughput 300Mbps... and no asterisk for special case... seems like barely 5Mbps to me...
Either they lie on datasheet, either there is indeed a bug but if we had to wait several years for fixing it, it's hopeless...
I don't know if this issue exist on other firewall like checkpoint, palo alto, stonesoft, cisco... but damn "ça me casse les couilles, grave!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still slow throughput for us on a 300D. Status of ticket is "Pending bug fix" for me as well....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I perform a small test on a FGT240D (running 5.4.3).
Download ( from FTP to client) : reaching the line speed (100 Mbps on client side) so around (10 Mbytes/sec)
Uploading reaching the line speed (20 Mbps on client side) so around (2,5 Mbytes/sec).
Regards,
HA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN easier to setup but slower throughput.
IPSec VPN less easy to deploy, but higher performance.
Google shows many vendors with this issue due to the nature of how both technologies work. Because of Fortinet's ASICs it should be less of an issue, but I've always seen SSL perform far slower than IPSec.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both SSLVPN and IPSec VPN we see the same behaviour....
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E /
100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Both SSLVPN and IPSec VPN we see the same behaviour..."
Oh no..........same with Site2Site
I just started searching trying to understand why our Site2Site VPN between to Fortigates is only able to move data between 30-50 Mbps on a 500MB circuit.
I've been working with a very experienced team at our new cloud hosting site to setup a data tunnel between sites. On my local side I have a pair of 900D's in active/passive and the VMware Fortigate on the hosting side.
Both units test to general internet a throughputs equal to expectation 500MB on my local and the hosting provider at GB Ethernet speeds but through the Site2Site only 30 to 50..............
Not good
Related Posts
- FortiGate 30E Slow connection via NAT 143 Views
- Fortinet Firewall shows 100Mbps (100%) bandwidth... 165 Views
- IPv6, Central NAT, and SD-WAN and... 143 Views
- Traffic Shaping outbandwidth Speedtest 230 Views
- FortiSASE deployment 163 Views
Labels
-
FortiGate
6,454 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.