Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITworks
New Contributor

Slow VPN connections

He recently upgraded from a FortiGate 80E to a 200F. Running version 7.4.1 .

The config has been rewritten manually to match the different interfaces.

Everything went well, but recently we are seeing a serious slowdown in VPN traffic:

 

The internet connection is 1000/300Mbit/s.
With a speed test from an internal server, we are reaching this speed without problems.

 

When connected via VPN -no matter if SSLVPN, Client IPSEC or Site-to-Site IPSEC, we only get speeds of 5-10Mbit/s in both directions, measured via iPerf3.

 

iPerf3 to an internal server directly executed on the FortiGate shows about 4GBit/s.

All traffic shapers have been deactivated for testing purposes.

All additional functions like Antivirus, IPS... are disabled on the SSLVPN policy (ssl.root->lan).

 

I don't have any clue why all VPN connections are that slow... anyone has an idea?

 

18 REPLIES 18
BillH_FTNT
Staff
Staff

Hi @ITworks 

 

I think you should test more cases

1. Don't use Iperf3, open 10 youtube links set with high definition. 

2. Compare Iperf3 using UDP and TCP

3. When Iperf3 , need check sys session list.

HTH

Bill

ITworks
New Contributor

Hi @BillH_FTNT 

I just testet iperf3 from an internal server to another externally hosted server, directly reachable from the internet without VPN.

In this case I get the following:

Upload: around 40 Mbit/s

Download: around 500 Mbit/s

That is really much compared to what I get via VPN (5/10Mbit/s maximum)... because of this difference I am pretty sure that the problem is not the measurement method.

 

When testing iperf with -u (UDP), I get only 1 Mbit/s in both directions. I don't know what that means in this case...

 

With site to site IPSEC VPN, also transfer of large files do not reach more than 5Mbit/s.

 

While iperf3 to the *Internet* host (faster), I see entries like this in diagnose sys session list (external IP masked):

session info: proto=6 proto_state=11 duration=1 expire=3598 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty npu app_valid
statistic(bytes/packets/allow_err): org=132/3/1 reply=133/3/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=42->21/21->42 gwy=192.168.178.1/192.168.30.86
hook=post dir=org act=snat 192.168.30.86:50058->85.236.38.***:5201(192.168.178.100:50058)
hook=pre dir=reply act=dnat 85.236.38.***:5201->192.168.178.100:50058(192.168.30.86:50058)
hook=post dir=reply act=noop 85.236.38.***:5201->192.168.30.86:50058(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=00:62:0b:e0:c2:01
misc=0 policy_id=27 pol_uuid_idx=686 auth_info=0 chk_client_info=0 vd=0
serial=0037be04 tos=ff/ff app_list=2000 app=26043 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c08 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=78/94, ipid=94/78, vlan=0x0000/0x0000
vlifid=94/78, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=1/7

 

While I am connected via SSLVPN and doing iperf3, I am unable to find the iperf traffic in the session list...

BillH_FTNT

Hi @ITworks 

This is offloaded traffic : npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=78/94, ipid=94/78, vlan=0x0000/0x0000
if you have a TAC ticket, pls share. I can test in the Lab based on your firewall configuration.
Or If you can share the log. You can share it internally with me.
Thanks
Bill

 

BillH_FTNT

Hi @ITworks 

 

 - I tested this case in the lab. 200F with 7.4.1 version. The speed is over 300M with iperf3

 - If you can test client-to-site VPN (SSLVPN), for example, using Forticlient. 

when you start iperf3.exe -c s.s.s.s in client site. then you repeat typing "diagnose sys session list" in Fortigate. You will catch the output of that command. It will give some information session.

- Another thing: The easy way to recognize that session is in session output, which contains "user" information. 

 

session info: proto=6 proto_state=06 duration=10 expire=4 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

user=admin state=log may_dirty authed f00 acct-ext

statistic(bytes/packets/allow_err): org=401310715/288426/0 reply=1691548/41618/1 tuples=2

tx speed(Bps/kbps): 22415439/179323 rx speed(Bps/kbps): 96492/771

 HTH

Bill

AntonyChen
New Contributor III

ITworks
New Contributor

Hi @BillH_FTNT ,

also after the firmware was upgraded to 7.4.3, all VPN connections are still WAY slower as they should be. I feel like we tried everything possible.
Can you please help us... I also sent you a private message including the full config.

Thank you very much, your help is much appreciated!

Best wishes, Florian

hbac
Staff
Staff

Hi @ITworks,

 

Are you getting the same speed on IPsec tunnel? Can you make sure there's no traffic shaper enabled? What is the FortiClient version? For IPsec tunnels, try disabling npu offload and test again. https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/636026/disabling-np-offload...

 

For SSLVPN, please follow https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-slow-file-transfer-issue/ta-...

 

Regards, 

ITworks
New Contributor

Hi @hbac,

thank you for your answer.

 

A Forticlient IPSEC tunnel hardly makes any difference.

I triple-checked that there is no traffic shaper - all of them have been disabled already.

We also tried different Forticlient Versions, mainly with 7.2.3, 7.2.2 and 7.0.3 - also tried with Windows & macOS clients. No difference between the clients.

Npu offload was already disabled.

DTLS was already enabled, any UTM profiles have been disabled for client VPN connnections...
Nothing seems to help :(

 

I mean... I am not missing 10% or so of the expected speed... I am missing like 9000% :(

 

I am more and more suspecting the initial rewrite of the config as the main problem... see first post. Could this cause such an issue?


Best wishes

Florian

netmin_02
New Contributor

what internet provider do you have?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors