He recently upgraded from a FortiGate 80E to a 200F. Running version 7.4.1 .
The config has been rewritten manually to match the different interfaces.
Everything went well, but recently we are seeing a serious slowdown in VPN traffic:
The internet connection is 1000/300Mbit/s.
With a speed test from an internal server, we are reaching this speed without problems.
When connected via VPN -no matter if SSLVPN, Client IPSEC or Site-to-Site IPSEC, we only get speeds of 5-10Mbit/s in both directions, measured via iPerf3.
iPerf3 to an internal server directly executed on the FortiGate shows about 4GBit/s.
All traffic shapers have been deactivated for testing purposes.
All additional functions like Antivirus, IPS... are disabled on the SSLVPN policy (ssl.root->lan).
I don't have any clue why all VPN connections are that slow... anyone has an idea?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @ITworks
I think you should test more cases
1. Don't use Iperf3, open 10 youtube links set with high definition.
2. Compare Iperf3 using UDP and TCP
3. When Iperf3 , need check sys session list.
HTH
Bill
Hi @BillH_FTNT
I just testet iperf3 from an internal server to another externally hosted server, directly reachable from the internet without VPN.
In this case I get the following:
Upload: around 40 Mbit/s
Download: around 500 Mbit/s
That is really much compared to what I get via VPN (5/10Mbit/s maximum)... because of this difference I am pretty sure that the problem is not the measurement method.
When testing iperf with -u (UDP), I get only 1 Mbit/s in both directions. I don't know what that means in this case...
With site to site IPSEC VPN, also transfer of large files do not reach more than 5Mbit/s.
While iperf3 to the *Internet* host (faster), I see entries like this in diagnose sys session list (external IP masked):
session info: proto=6 proto_state=11 duration=1 expire=3598 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty npu app_valid
statistic(bytes/packets/allow_err): org=132/3/1 reply=133/3/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=42->21/21->42 gwy=192.168.178.1/192.168.30.86
hook=post dir=org act=snat 192.168.30.86:50058->85.236.38.***:5201(192.168.178.100:50058)
hook=pre dir=reply act=dnat 85.236.38.***:5201->192.168.178.100:50058(192.168.30.86:50058)
hook=post dir=reply act=noop 85.236.38.***:5201->192.168.30.86:50058(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:62:0b:e0:c2:01
misc=0 policy_id=27 pol_uuid_idx=686 auth_info=0 chk_client_info=0 vd=0
serial=0037be04 tos=ff/ff app_list=2000 app=26043 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c08 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=78/94, ipid=94/78, vlan=0x0000/0x0000
vlifid=94/78, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/7
While I am connected via SSLVPN and doing iperf3, I am unable to find the iperf traffic in the session list...
Hi @ITworks
This is offloaded traffic : npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=78/94, ipid=94/78, vlan=0x0000/0x0000
if you have a TAC ticket, pls share. I can test in the Lab based on your firewall configuration.
Or If you can share the log. You can share it internally with me.
Thanks
Bill
Created on 12-15-2023 02:02 PM Edited on 12-15-2023 02:03 PM
Hi @ITworks
- I tested this case in the lab. 200F with 7.4.1 version. The speed is over 300M with iperf3
- If you can test client-to-site VPN (SSLVPN), for example, using Forticlient.
when you start iperf3.exe -c s.s.s.s in client site. then you repeat typing "diagnose sys session list" in Fortigate. You will catch the output of that command. It will give some information session.
- Another thing: The easy way to recognize that session is in session output, which contains "user" information.
session info: proto=6 proto_state=06 duration=10 expire=4 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=admin state=log may_dirty authed f00 acct-ext
statistic(bytes/packets/allow_err): org=401310715/288426/0 reply=1691548/41618/1 tuples=2
tx speed(Bps/kbps): 22415439/179323 rx speed(Bps/kbps): 96492/771
HTH
Bill
you can try this and hope it help
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-slow-file-transfer-issue/ta-...
Hi @BillH_FTNT ,
also after the firmware was upgraded to 7.4.3, all VPN connections are still WAY slower as they should be. I feel like we tried everything possible.
Can you please help us... I also sent you a private message including the full config.
Thank you very much, your help is much appreciated!
Best wishes, Florian
Hi @ITworks,
Are you getting the same speed on IPsec tunnel? Can you make sure there's no traffic shaper enabled? What is the FortiClient version? For IPsec tunnels, try disabling npu offload and test again. https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/636026/disabling-np-offload...
For SSLVPN, please follow https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-slow-file-transfer-issue/ta-...
Regards,
Hi @hbac,
thank you for your answer.
A Forticlient IPSEC tunnel hardly makes any difference.
I triple-checked that there is no traffic shaper - all of them have been disabled already.
We also tried different Forticlient Versions, mainly with 7.2.3, 7.2.2 and 7.0.3 - also tried with Windows & macOS clients. No difference between the clients.
Npu offload was already disabled.
DTLS was already enabled, any UTM profiles have been disabled for client VPN connnections...
Nothing seems to help :(
I mean... I am not missing 10% or so of the expected speed... I am missing like 9000% :(
I am more and more suspecting the initial rewrite of the config as the main problem... see first post. Could this cause such an issue?
Best wishes
Florian
what internet provider do you have?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.