Hello,
we having trouble with throughput the SSL VPN on Windows Latency from the client to the Fortigate is about 20ms and bandwidth in Fortigate site is 1Gbps and client site is 100Mbbps First, when connecting locally over the internal gigabit network (with near-zero latency), performance easily exceeds about 60Mbps for download on the client. I verified through trace routes, the route table, and Task Manager that tested traffic was indeed flowing through SSL VPN. This tells me that the underlying hardware is capable. However, when testing from off-site (at least 100Mbps and 20ms latency), the performance changes. From the client' s perspective, the download rate through SSL VPN is about 13Mbps and the upload is the problem in that it cannot exceed about 2-3Mbps.It seems that the increased latency is the contributing factor. Given that the SSL VPN uses TCP, my guess is that there' s an issue with TCP window scaling of the SSL VPN connection itself, especially when the client is sending data to the Fortigate.
I tried disable all UTM, change IP on wan. wan has no errors, MTU 1500, speed 1GbitFD (fix).
Important: If I configured IPsec VPN and test it, throughput from the corporate LAN to the client is over 80Mbps on both sides. And also traffic to the internet (through the Fortigate, no split-tunnel) reaches maximum client line (about 90Mbps).
Has anyone else been able to achieve better performance on either Windows SSL VPN clients? Our clients need good throughput in both directions from corporate LAN and Internet-based sources where latency far from zero...
My testing has included Windows 7 and Windows 10 Transfer tests included iperf (tcp and udp modes), SMB, FTP, Speedtest.net (and similar tools hosted by the ISP). Fortigate 100D running on v5.4.3,build1111 and FortiClient 5.4.2.0860
config vpn ssl settings
set reqclientcert disable
set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 enable
set tlsv1-2 enable
unset banned-cipher
set ssl-big-buffer disable
set ssl-insert-empty-fragment enable
set https-redirect disable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "**********"
set algorithm high
set idle-timeout 0
set auth-timeout 28800
set tunnel-ip-pools "*********"
set dns-suffix "*******.local"
set dns-server1 172.22.91.100
set dns-server2 172.22.91.101
set wins-server1 172.22.91.100
set wins-server2 172.22.91.101
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set route-source-interface disable
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 443
set port-precedence enable
set auto-tunnel-static-route enable
set header-x-forwarded-for add
set source-interface "wan1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "web-access"
set dtls-tunnel enable
set check-referer disable
set http-request-header-timeout 20
set http-request-body-timeout 30
config system interface
edit "wan1"
set vdom "root"
set mode static
set dhcp-relay-service disable
set ip ********* 255.255.255.240
set allowaccess ping https ssh snmp http fgfm
set fail-detect disable
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-redirect enable
set vlanforward enable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections disable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description "WAN"
set alias "WAN"
set security-mode none
set device-identification disable
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set vrrp-virtual-mac disable
set role wan
set snmp-index 2
set secondary-IP disable
set auto-auth-extension-device disable
set ap-discover enable
set fortilink disable
config ipv6
set ip6-mode static
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set ip6-address ::/0
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
set speed 1000full
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
We are faced with this problem from the beginning (I think FortiOS version 5.0) and we hope to improve with each new version of FortiOS or FortiClient :/ If anyone has any idea how this fix it, I will be grateful.
Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Smartypants,
I had the same issue, between 2 fortigate site2site IPSEC, with fiber both side (100Mb for one and 1Gb the other), and i had poor transfer bandwidth.
What is your fortios build ?
For me, i was on 5.0 and just upgrading to 5.4 was enough to resolve this issue...
Hi Smartypants,
I had the same issue, between 2 fortigate site2site IPSEC, with fiber both side (100Mb for one and 1Gb the other), and i had poor transfer bandwidth.
What is your fortios build ?
For me, i was on 5.0 and just upgrading to 5.4 was enough to resolve this issue...
I am having IPSEC site-to-site VPN issues to. slow performance. using 1 Gbps fiber link.
I have FG60D 5.2.11 >>> FG200D 5.2.10. IPSEC VPN.
500-700 mbps in one direction and only 124 mbps in the other. I am checking all the NP4_lite settings and offload, but no change.
I wonder if 5.4.4 on my 60D would help?
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
In my case, it was between 100D and 200D.
But i guess it would be a good thing to upgrade your 60D to 5.4.4...
I did upgrade my 60D to 5.4.4 and it may have helped, but total in+out bandwidth will still not exceed 700ish mbps. I was hoping for that much in each direction.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Hi guys,
today I installed FortiClient 5.6. Beta 2 on 4 computers.
1x Win7Pro x64, 2x Win10Pro x64 and 1x Win10 x86. I only made an update from version 5.4.3 Build 0870. Everything looked good but on all x64 VPNs dialup froze at 98% :\ Okay, I did the correct uninstall and restart. In Device Manager, I deleted the inactive WAN miniport adapters and installed the beta version of FortiClient. After install, restart was not required.
I tested with 100D 5.6GA on 1Gbbit line and client was at 100Mbit line. I did not use splitt tunneling and I used the full NGFW on Policy: SSL DPI, APP, WEB, IPS, AV, EV and...... I was very surprised!
The most important change is that Forticlient now communicates on UDP !! (If you have DTSL enabled) and therefore there is no problem with latency vs. TCP window size.
Thanks for the comeback sigmasoftcz :)
But, i don't understand, if you have an 100Mb internet access (i assume it's symetric), 3-5Mb on upload it's not good (it's the transfer rate i have on SSL).
If you try to upload a file with SMB or FTP, now it's UDP with DTLS enabled, the max transfer rate you obtain is 5 Mb ?
Hi recha, no, maybe I wrote it badly :) The 3-5 Mbit upload speed was with the old version of FortiClient (with malfunction DTLS). With version 5.6 Beta2, the upload speed is around 60Mbit with full UTM profile on Policy to the public internet (speedtest.net) If I disable all UTM funkcion on policy I will achieve a speed of about 95 Mbit in both directions using SMB. I will test FTP in the evening.
Jirka
English is not my native langage, i think i have misunderstood what you said :)
It's great news! So if i resume it, Fortios 5.6 + DTLS enabled on appliance, Forticlient 5.6 Beta resolve this performance issue! ^^
That is the solution for customer complaining of poor ssl speed!
For my company, i think we will wait fortios 5.6.1 :)
Thanks again for your help sigmasoftcz!
That great news... (Ticket still pending bug fix here ) ...
Going to try the 5.6 beta client also... see what happens here...
I will let you know
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.