Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slow Throughput over IPSEC VPN
Hello,
We are using 2 X Fortigate 310 B V4.0 MR1 in a site to site /point to point configuration.
We have a IPSec VPN between both devices but we are gettting a very poor throughput speed between both devices over the vpn. The point to point connection speed is 1 Gb but we are only achieving a max speed of 300 mbs.
If we avoid going over the vpn and dont send traffic encrypted we get 900 mbs.
We have tricked around with encryption settings to no avail.
Does anyone have a similare issue?
Regards,
Niall
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
Have you looked into packet fragmentation?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you looked into packet fragmentation?Hi, Many thanks for the response. No we havent really investigated Packet Fragmentation yet. Would you have any suggestions / best practices regarding this? Thanks, Niall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, sorry for confusion we have allowed for jumbo frames with an mtu of 9216 on the switch ports which the Forinet is connected to. Is there any that needs to be done on the Fortinet to allow for this?
Thanks,
Niall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the switch port settings won' t have much effect. What is your MTU setting on this L3 network?
To see if your packets get fragmented sniffing on one of the sides will be necessary.
If you want to reach this high throuput you will also really need the NP2 IPSec acceleration - So have you followed the guidelines of the Fortigate Hardware manual? There are plenty of rules to follow to reach the performance numbers from the datasheet!!!
Can you post the results of:
diagnose vpn ipsec status
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the Post Romanr
Yes I believe we are using teh NP2 acceleration - the ports in use are NP2 powered ports. I will check the manual again.Below is output from that command:
#diagnose vpn ipsec status
All ipsec crypto devices in use:
NP2-0
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
NP2-1
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
NPU HARDWARE
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
CP6:
null: 0 0
des: 0 0
3des: 78496898028 26028908419
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
as you can see from the stats - your 310B is running the IPSec from the CP6 and not on the NP2, which would be much faster!
You need the local-gw parameter set on your IPSec phase 1 settings!! I' d guess you miss that one!
Also consider upgrading to the latest 4MR2.
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick response.
Ok it looks like you are right. I inherited this device so I didnt do the original config.
It looks like I will have to recreate the Phase 1 as the existing Phase 1 does not allow me to specify a local gw in order to configure the NP2.
I will make this change over the weekend and will report my findings.
Thanks,
Niall
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can add the local-gw from CLI:
config vpn ipsec phase1-interface
edit <tunnel>
set local-gw x.x.x.x
end
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
as Selective mentioned - this change can be done on the CLI without the need to delete!
Have also a look on the following settings (only via CLI):
config system npu
show full
Should look like this:
config system npu
set dec-offload-antireplay enable
set enc-offload-antireplay enable
set offload-ipsec-host enable
end
br,
Roman