All - this isn't an issue of CIFS or NFS being slow over VPN because of the inherent nature of those protocols. This is a bug in the Fortinet software, and I'm surprised it's not a bigger deal to more people. It happens on IPSEC tunnels as well.
I've spent a week working on this on devices using various 5.6 versions.
I've adjusted every MTU and TCP MSS setting.
I've adjusted NAT traversal to forced.
The 355kb/sec transfer is the clue - how is it possible multiple people are getting the exact same performance from different servers and different circuits and different hardware? Because it's an inherant firmware bug.
Someone from Fortinet needs to send out a bulletin to explain this in detail and note the correct firmware version that fixes it for everyone. Honestly can't believe this has gone on for so long. I have a ticket open but they haven't yet replied. Frankly not a good reflection on Fortinet.
VPNs are great for protecting your privacy and seeping your data secure, but almost all VPNs come with one major downside: they slow down your internet connection. Many VPNs slow you down as much as 50%. This can make trying to stream a movie or have a video chat almost impossible
If you search the help pages on any VPN service they will tell you to check the same things when trying to fix a slow VPN experience:
Check your internet router
See if your ISP is throttling your connection
Use the server closest to you geographically[/ul]
Reading the same advice over and over again can make you feel like you are the problem. But, the truth is most of the time your router is fine, your ISP is delivering the speed it promised, and you are using the closest server.
We just hit this same issue attempting an upgrade of a 201E from 5.6.x to 6.0.3. Even though the spoke sites had been upgraded already, when we upgraded the hub site to match, it killed VPN performance across the board. Throughput dropped by a factor of 10. As a last gasp, we upgraded to 6.0.4 and the issue was resolved. Performance was back to normal. We were even able to upgrade to CHACHA20POLY1305-PRFSHA512 encryption across the board with no decrease in performance.
The release notes mention a bugfix, specifically 515375, regarding the VPN going down randomly. But whatever was causing these drops must have also been a cause of the poor performance.
So we have the same issues on a couple of devices. FortiGate 60E, 100E, 200E, Running OS 6.0.4, 5.6.x and so on. Tried with DTLS, no change. Also no Bandwidth issues on both sites. Upload through SSL VPN stuck at 355 KB/s.
We're in the process of migrating some SRX/SSG hub sites that terminate to a SSG140 over to a Fortinet 100e.
We migrated a site with newer SRX300 and SMB file copy IPsec tunnel performance is as expected in both directions.
Migrated a site with an old SSG5 and SMB file copy IPsec tunnel performance is as expected in both directions.
Migrated a site with a SRX220h and SMB file copy IPsec download to site is as expected. Upload from site appears to max out at the exact 355kbps speed.
Current 100e firmware is: v6.2.3 build1066 (GA)
*Update: So i logged into an RDP session @ the remote site and did a download test from Hub site and got the expected performance. Did an Upload to a server @ Hub site and it was close to 10x faster. Closer to what it should be, but not quite.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.