Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kelv1n
New Contributor

Site-2-Site VPN, slow in 1 direction

Hi Guys

 

We have 2 locations, lets calls them Site A and Site B each with a 1Gb link, each with a pair of 200D's in HA, the sites are connected via an IPSec VPN.

 

Traffic flowing from Site A to Site B flows at about 500Mbp/s, but traffic flowing the other way (B to A) only hits between 100-200Mbp/s.

 

Any idea what could be causing this?

 

This is definitely config related, as I've tested this by resetting and building a new config for Site A, which got traffic flowing at 500Mbp/s both ways, but I couldn't identify which settings might have been causing. It was working fine until a few days ago, but we experienced a VPN issue (traffic started intermittently timing out) and we had to fix it quickly so we just rebuilt the VPN and this bottleneck started reoccurring again.

 

The VPN is setup with 

 

Phase 1 -

Preshared Key

IKE Version 1

Mode Main

Propose Algorithms - DES-SHA1

DH Groups 2,1

 

Phase 2 -

Propose Algorithms - DES-SHA1

Enable Replay Detection: Off

PFS: Off

Autokey Keep Aline: Off

Auto-negotiate: Off

 

I know these are not ideal from a security stand point, but they are just for testing.

 

This is not policy related as the VPN polices are at the top and currently have no UTM active on them.

 

I've seem other people report similar issues, but the recommendations to them was to the NPU settings, but I'm not sure how applicable these are to the 200 series as they have the LITE processor.

 

Any thoughts on what might be causing this? Or how to diagnose it?

11 REPLIES 11
emnoc
Esteemed Contributor III

And we are assuming the same FortiOS?

 

For what bob mention earlier NPU acceleration is between the 2 ports. You need to be cautious of pairing & what you have enable on the policies and ports.This goes back to FP ( fast-path ) and non-FP. You probably have something enable that's mixing the 2. But you should still conduct benchmark test using  udp on a policy-id that has NOTHING enable accept an allow between the 2 hosts.

 

Do a  " get hardware status" and look at the ASIC version, you probably have np4 lite if I had to guess

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kelv1n
New Contributor

Hi Guys

 

I think I've managed to resolve this, by sheer luck I stumbled across a this -

 

https://forum.fortinet.com/tm.aspx?tree=true&m=121303&mpage=1

 

Somebody reported a problem with sflow causing problems with their NPU offloading, we were playing with sflow and netflow recently, so I unset these configs. I rebooted the Master firewall, but it did not resolve it. Then I remembered Firewalls on that site are an Active-Active HA pair, so the sessions would sync. I did a simultaneous reboot of both Master/Standby to clear everything.

 

Both sites are now using NPU, and we're getting 500Mb/s a second in both directions. I've quite shocked at the impact the NPU has, especially since its labelled "NPULite".

 

Thanks for all your help.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors