Slow VPN speed

armeez88 · ‎09-11-2018

Hello! Please, help me.

We use FortiGate 200E in our company.

I have difficulty using the VPN. The speed when connecting to VPN is only 1-2 mbps. How can I fix this? The channel at both ends of 50 mbps

Ashik_Sheik · ‎09-11-2018

Hi,

Are you using SSL or IPSEC .? Is it site to site or Remote access ?

Speed is always depending on your internet bandwidth .If the Internet Link is over utilized then there is no much room for VPN traffic .You better focus on bandwidth management .

Regds,

Ashik

Sheik Mahammad Ashik

View solution in original post

atsak · ‎03-09-2019

All - this isn't an issue of CIFS or NFS being slow over VPN because of the inherent nature of those protocols. This is a bug in the Fortinet software, and I'm surprised it's not a bigger deal to more people. It happens on IPSEC tunnels as well.

I've spent a week working on this on devices using various 5.6 versions.

I've adjusted every MTU and TCP MSS setting.

I've adjusted NAT traversal to forced.

The 355kb/sec transfer is the clue - how is it possible multiple people are getting the exact same performance from different servers and different circuits and different hardware? Because it's an inherant firmware bug.

Someone from Fortinet needs to send out a bulletin to explain this in detail and note the correct firmware version that fixes it for everyone. Honestly can't believe this has gone on for so long. I have a ticket open but they haven't yet replied. Frankly not a good reflection on Fortinet.

View solution in original post

FFEJ · ‎04-30-2019

Duncan did you find a solution for this? I have the same problem and also mysteriously benchmarked 20Mbps once. currently on V6.0.4 and have tried everything I can think of. Also had our ISP working with me to try and resolve the problem but we have been unsuccessful.

Duncan · ‎04-30-2019

FFEJ wrote:
Duncan did you find a solution for this? I have the same problem and also mysteriously benchmarked 20Mbps once. currently on V6.0.4 and have tried everything I can think of. Also had our ISP working with me to try and resolve the problem but we have been unsuccessful.

Nah, sorry mate. Fortinet closed the ticket once it was escalated to dev who didn't believe there was a problem!

We are upgrading to 100Mbps fibre in the next few months so I will be pursuing it then. We are running v6.0.4 too.

joebrug · ‎11-11-2019

Hi all,

I was testing SSL VPN using forticlient with 5.4.9 and it was going great.. fast speeds, responsive, etc. I upgraded to 5.6.11 and it was noticeably slower. I wasn't doing any file transfers, just connecting to VPN then using RDP to my desktop at work. I tried upgrading to 6.0.6 and its no better.

Are you guys still having this issue? Anything done about it?

Thanks

wcliew · ‎12-11-2019

I have a Site-2-Site IPsec tunnel setup using 60E. the office are between China, GZ area, and Singapore.

China side access Singapore file server has a download speed of 355KB/s, kind of limited by something. I tried using traffic shaper, no help. then, we do a reverse, access China file server from Singapore, to my surprise, the download speed is 1.15MB/s! Further, I use LTE mobile connection in Singapore with forticlient and access the Singapore file server, I also get a download speed of 355KB/s.

Conclusion is that Singapore side VPN has a limited upload limit. but why?

I found the 60E has different FW version installed in both sites, v5.4.4 build7619 in China, and v5.4.1build5577 in Singapore.

Will v5.4.4.and v5.4.1 make the different?

Thompsons · ‎02-26-2020

I ran into this issue too, had a customer with a lot of remote sites all connecting back to main office with 100D.

I could see the VPN was a huge bottleneck as I could RDP from remote site to main office server and if I copied a 75MB file and pasted on the remote site desktop, it said it'd take 50mins to copy! If I RDP's via their RDGateway, bypassing VPN, the 75MB file would copy in 5min.

After creating a ticket with FGT support, they could that the 100D didn't support ASIC Offload, but the remote site FGT (60E) did. So, at the remote site we diabled ASIC Offload on the policy and disable npu-offload on the VPN.

This made the connection about 5 times faster. The 75MB file would copy in about 10min rather than 50.

Commands to do this on the remote site FGT:

config firewall policy

edit <ID of ingress policy>

set auto-asic-offload dis

end

config vpn ipsec phase1-int

edit <tunnel name>

set npu-offload dis

end

Eric55 · ‎10-15-2018

Try enable/disabled DTSL and sniff traffic from FortiClient to FortiGate

Duncan · ‎10-15-2018

Why? What am I looking for? I think Fortinet support did this yesterday while troubleshooting. They've esculated to development as they believe it is a bug. The firewall is peeking at about 300Mbps (bypassing our ISP) where it should be getting around 900Mbps.

bartman10 · ‎10-23-2018

I have the EXACT same issue! The traffic in your pic is exactly like mine. Up and down with 355kb/sec. We have a Active-Passive 300E cluster on a 100/100mbit fiber pipe.

If I have DTSL enabled FortiClient hangs at 98%, then asks to log in again. Speed is also bad for IPSec.

I also have a ticket open with TAC and we are having a great conversation about enabeling/disabeling DTLS on the Fortigate... but no further progress.

Sorry meant to add, Duncan can you PM me your ticket number so I can add it to my ticket for ref?

300E x3, 200D, 140D, 94D, 90D x2, 80D, 40C, handful of 60E's.. starting to loose track.

Over 100 WiFi AP's and growing.

FAZ-200D

FAC-VM 2 node cluster

Friends don't let friends FWF!

Duncan · ‎10-23-2018

PM'ed you the ticket number. The ticket has been escalated to development as we've proven a bug in FortiGate.

FYI, the support tech and I tried IPsec, lowing TLS version and cypher and hardware acceleration with no avail.

Last week FortiOS 6.0.3 was released so I am planning to install that tonight. I'll let you know the results.

bartman10 · ‎10-23-2018

Great thanks for the update.