- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slow internet speed & file sharing while connected to VPN
Hi Everyone,
We have a SSL VPN for our corporate users on a Fortigate 5001V (daily average users 10-15). Everyone internet speed slows down as soon as they connect to vpn. Below are some examples of speed test without and with vpn. Please let me know if this is normal expected behavior slow down or if there is something that we can do to improve the situation. I can also provide tracert if need be. We do have a manage network so I do not full cli access to the blade, but I can pass any recommendation to our manage provider company:
The issue is more significant and a pain point when users map a server shared folder and they try to save or dowload the file. The VPN blade is in the west coast and most share folders are also in the west coast. I do expect some slowness while updating huge excel files in the NY shares drive folders. Our typical time from vpn or from mpls is always consistent at 75ms from LA to NY (while on vpn or mpls is always at around 73ms), so I think the culprit could be the fortinet 5001v.
100/100 -> on vpn 20/10
300/20 -> on vpn 30/3
70/10 -> on vpn 15/2
175/5 -> on vpn 15/5
thank you
Manuel
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By this hardware specification FG-5001E devices has 9Gbps throughput for SSL VPN.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf
You shouldn't have any problems with the platform. What is the software version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand you compare the Internet speed between their own Internet connection in their locations, not Internet available from the location where FortiGate is installed, correct?
Can you verify the device model? FortiGate has some 5k models but I don't see 5000v. Is it physical appliance or VM?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, these are remote users joining the ssl vpn mostly from home.
It is the 5000 series in LA datacenter. It is a physical appliance. We rebooted last night to see if things improved but no luck!
FortiGate® 5000 Series Solution Scalable Data Center and Carrier-Graded Security Systems
I will verify the specific model
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By this hardware specification FG-5001E devices has 9Gbps throughput for SSL VPN.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf
You shouldn't have any problems with the platform. What is the software version?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am awaiting response from our Manage provider company as I do not have access to the appliance.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is It’s a 5001b on v5.2.11 firmware
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any security profiles attached to the SSL VPN firewall policies?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, we do. We are doing split traffic. All egress/ingress traffic traverses the blade for security. We do not want the users to just be able to open to any website and bring some malware in (we do content filtering as well)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you can't compare speed of the user's local Internet access with VPN connection which is inspected. Your model is huge and should be fast enough for your ~20 users. I don't have experience with this model to say more. Maybe someone on the forum can share her/his experience with model 5000, or maybe you can talk with Fortinet TAC and specify what security profiles are attached, maybe you do ssl full inspection,etc. Remember you can't offload proxy inspections to FortiASICs, all is done on CPU.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not so much the speed comparison, but the actual upload/download is slower. I do not expect to have a 100 @ home and have 80 on VPN. As long as my end users can function normally, I am not concerned about the speed.
Here is something weird..
on MPLS/WAN From HQ to NY server, I get 65 ms - file download a 80 mb file is 10 seconds
on VPN and I can ping NY at 70 ms - file download a 80 mb files is 3 minutes
*** note that ms difference is not an issue, but look at the time difference on download
- I know ping uses icmp instead of udp or tcp, but the time difference in download does not make sense even if it is using tcp/ip
thanks