Hello! Please, help me.
We use FortiGate 200E in our company.
I have difficulty using the VPN. The speed when connecting to VPN is only 1-2 mbps. How can I fix this? The channel at both ends of 50 mbps
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Are you using SSL or IPSEC .? Is it site to site or Remote access ?
Speed is always depending on your internet bandwidth .If the Internet Link is over utilized then there is no much room for VPN traffic .You better focus on bandwidth management .
Regds,
Ashik
All - this isn't an issue of CIFS or NFS being slow over VPN because of the inherent nature of those protocols. This is a bug in the Fortinet software, and I'm surprised it's not a bigger deal to more people. It happens on IPSEC tunnels as well.
I've spent a week working on this on devices using various 5.6 versions.
I've adjusted every MTU and TCP MSS setting.
I've adjusted NAT traversal to forced.
The 355kb/sec transfer is the clue - how is it possible multiple people are getting the exact same performance from different servers and different circuits and different hardware? Because it's an inherant firmware bug.
Someone from Fortinet needs to send out a bulletin to explain this in detail and note the correct firmware version that fixes it for everyone. Honestly can't believe this has gone on for so long. I have a ticket open but they haven't yet replied. Frankly not a good reflection on Fortinet.
Duncan did you find a solution for this? I have the same problem and also mysteriously benchmarked 20Mbps once. currently on V6.0.4 and have tried everything I can think of. Also had our ISP working with me to try and resolve the problem but we have been unsuccessful.
FFEJ wrote:Nah, sorry mate. Fortinet closed the ticket once it was escalated to dev who didn't believe there was a problem!Duncan did you find a solution for this? I have the same problem and also mysteriously benchmarked 20Mbps once. currently on V6.0.4 and have tried everything I can think of. Also had our ISP working with me to try and resolve the problem but we have been unsuccessful.
We are upgrading to 100Mbps fibre in the next few months so I will be pursuing it then. We are running v6.0.4 too.
Hi all,
I was testing SSL VPN using forticlient with 5.4.9 and it was going great.. fast speeds, responsive, etc. I upgraded to 5.6.11 and it was noticeably slower. I wasn't doing any file transfers, just connecting to VPN then using RDP to my desktop at work. I tried upgrading to 6.0.6 and its no better.
Are you guys still having this issue? Anything done about it?
Thanks
I have a Site-2-Site IPsec tunnel setup using 60E. the office are between China, GZ area, and Singapore.
China side access Singapore file server has a download speed of 355KB/s, kind of limited by something. I tried using traffic shaper, no help. then, we do a reverse, access China file server from Singapore, to my surprise, the download speed is 1.15MB/s! Further, I use LTE mobile connection in Singapore with forticlient and access the Singapore file server, I also get a download speed of 355KB/s.
Conclusion is that Singapore side VPN has a limited upload limit. but why?
I found the 60E has different FW version installed in both sites, v5.4.4 build7619 in China, and v5.4.1build5577 in Singapore.
Will v5.4.4.and v5.4.1 make the different?
I ran into this issue too, had a customer with a lot of remote sites all connecting back to main office with 100D.
I could see the VPN was a huge bottleneck as I could RDP from remote site to main office server and if I copied a 75MB file and pasted on the remote site desktop, it said it'd take 50mins to copy! If I RDP's via their RDGateway, bypassing VPN, the 75MB file would copy in 5min.
After creating a ticket with FGT support, they could that the 100D didn't support ASIC Offload, but the remote site FGT (60E) did. So, at the remote site we diabled ASIC Offload on the policy and disable npu-offload on the VPN.
This made the connection about 5 times faster. The 75MB file would copy in about 10min rather than 50.
Commands to do this on the remote site FGT:
config firewall policy
edit <ID of ingress policy>
set auto-asic-offload dis
next
edit <ID of egress policy>
set auto-asic-offload dis
end
config vpn ipsec phase1-int
edit <tunnel name>
set npu-offload dis
end
Try enable/disabled DTSL and sniff traffic from FortiClient to FortiGate
Why? What am I looking for? I think Fortinet support did this yesterday while troubleshooting. They've esculated to development as they believe it is a bug. The firewall is peeking at about 300Mbps (bypassing our ISP) where it should be getting around 900Mbps.
I have the EXACT same issue! The traffic in your pic is exactly like mine. Up and down with 355kb/sec. We have a Active-Passive 300E cluster on a 100/100mbit fiber pipe.
If I have DTSL enabled FortiClient hangs at 98%, then asks to log in again. Speed is also bad for IPSec.
I also have a ticket open with TAC and we are having a great conversation about enabeling/disabeling DTLS on the Fortigate... but no further progress.
Sorry meant to add, Duncan can you PM me your ticket number so I can add it to my ticket for ref?
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
PM'ed you the ticket number. The ticket has been escalated to development as we've proven a bug in FortiGate.
FYI, the support tech and I tried IPsec, lowing TLS version and cypher and hardware acceleration with no avail.
Last week FortiOS 6.0.3 was released so I am planning to install that tonight. I'll let you know the results.
Great thanks for the update.
300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.
Over 100 WiFi AP's and growing.
FAZ-200D
FAC-VM 2 node cluster
Friends don't let friends FWF!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.