Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lalu
New Contributor II

Speed problem with SSL VPN

Hi everybody,

I have the following situation:

 

Main office with Fortigate 60F with v7.0.6 build0366 and a 1 Gbit/s symmetrical fibre-optic internet connection. From Fortinet's specifications, the 60F model has an SSL-VPN Throughput of 900 Mbps. Server with Iperf connected by network cable to the firewall.

 

Laptop for teleworking uses a 120 Mbit/s symmetrical connection (measured with speedtest) and FortiClient v. 7.0.6.0290. Laptop connected with network cable to the router.

Performing a test via SSL VPN with Iperf3 results in a ridiculous average speed of 5.45 Mbit/s

 

[ 4] local 10.212.134.200 port 51073 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 1.12 MBytes 9.30 Mbits/sec
[ 4] 1.01-2.01 sec 512 KBytes 4.23 Mbits/sec
[4] 2.01-3.01 sec 384 KBytes 3.14 Mbits/sec
[ 4] 3.01-4.00 sec 640 KBytes 5.27 Mbits/sec
[4] 4.00-5.01 sec 640 KBytes 5.20 Mbits/sec
[ 4] 5.01-6.00 sec 640 KBytes 5.29 Mbits/sec
[ 4] 6.00-7.01 sec 896 KBytes 7.31 Mbits/sec
[ 4] 7.01-8.01 sec 640 KBytes 5.20 Mbits/sec
[ 4] 8.01-9.01 sec 640 KBytes 5.28 Mbits/sec
[4] 9.01-10.01 sec 512 KBytes 4.18 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 6.50 MBytes 5.45 Mbits/sec sender
[4] 0.00-10.01 sec 6.50 MBytes 5.45 Mbits/sec receiver

 

What could be the problem?

thanks for any ideas
Regards
Luca

 

 

UPDATE:

 

Test with IPSec VPN: even worse performance

[ 4] local 10.0.11.200 port 57036 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 256 KBytes 2.07 Mbits/sec
[ 4] 1.01-2.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 3.00-4.01 sec 384 KBytes 3.12 Mbits/sec
[ 4] 4.01-5.01 sec 256 KBytes 2.10 Mbits/sec
[ 4] 5.01-6.00 sec 256 KBytes 2.10 Mbits/sec
[ 4] 6.00-7.01 sec 128 KBytes 1.04 Mbits/sec
[ 4] 7.01-8.00 sec 128 KBytes 1.06 Mbits/sec
[ 4] 8.00-9.01 sec 256 KBytes 2.08 Mbits/sec
[ 4] 9.01-10.01 sec 256 KBytes 2.11 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 1.88 MBytes 1.57 Mbits/sec sender
[ 4] 0.00-10.01 sec 1.70 MBytes 1.43 Mbits/sec receiver

5 REPLIES 5
Yurisk
Valued Contributor

I'd also take into consideration the latency inside the VPN tunnel, what is it?

Additionally, running iperf3 with multiple sessions would be helpful as well  -p 5 , -p 10

BTW, have you tried running iperf3 on the Fortigate itself, just in case?  https://yurisk.info/2020/01/24/fortigate-iperf-traffic-test-built-in-client-cli/  

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
lalu
New Contributor II

Hi Yurisk, thank you for your response.

 

This is a ping beetwen the client and the server on the main office.
The latency is 23ms.

Pinging 10.0.10.60 with 32 bytes of data:
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63

Ping statistics for 10.0.10.60:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 23ms, Maximum = 23ms, Average = 23ms

 

I did some research and saw the option "Preferred DTSL Tunnel".
With "Preferred DTLS Tunnel" option enable on the FortiClient it's improve a little (x3).

 

Connecting to host 10.0.10.60, port 5201
[ 4] local 10.212.134.200 port 60359 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 3.25 MBytes 26.9 Mbits/sec
[ 4] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 4] 2.01-3.01 sec 1.12 MBytes 9.47 Mbits/sec
[ 4] 3.01-4.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 4] 4.00-5.00 sec 1.88 MBytes 15.8 Mbits/sec
[ 4] 5.00-6.01 sec 1.62 MBytes 13.5 Mbits/sec
[ 4] 6.01-7.00 sec 1.25 MBytes 10.6 Mbits/sec
[ 4] 7.00-8.01 sec 1.88 MBytes 15.6 Mbits/sec
[ 4] 8.01-9.00 sec 1.62 MBytes 13.7 Mbits/sec
[ 4] 9.00-10.01 sec 2.12 MBytes 17.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 17.4 MBytes 14.6 Mbits/sec sender
[ 4] 0.00-10.01 sec 17.2 MBytes 14.4 Mbits/sec receiver


This is the output with -P 10 option and "Preferred DTLS Tunnel" enabled on Forticlient.

 

Connecting to host 10.0.10.60, port 5201
[ 4] local 10.212.134.200 port 65515 connected to 10.0.10.60 port 5201
[ 6] local 10.212.134.200 port 65516 connected to 10.0.10.60 port 5201
[ 8] local 10.212.134.200 port 65518 connected to 10.0.10.60 port 5201
[ 10] local 10.212.134.200 port 65519 connected to 10.0.10.60 port 5201
[ 12] local 10.212.134.200 port 65520 connected to 10.0.10.60 port 5201
[ 14] local 10.212.134.200 port 65521 connected to 10.0.10.60 port 5201
[ 16] local 10.212.134.200 port 65522 connected to 10.0.10.60 port 5201
[ 18] local 10.212.134.200 port 65523 connected to 10.0.10.60 port 5201
[ 20] local 10.212.134.200 port 65524 connected to 10.0.10.60 port 5201
[ 22] local 10.212.134.200 port 65525 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 6] 0.00-1.01 sec 512 KBytes 4.14 Mbits/sec
[ 8] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 10] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 12] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[ 14] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 16] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 18] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 20] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[ 22] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[SUM] 0.00-1.01 sec 7.25 MBytes 60.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 1.01-2.01 sec 2.00 MBytes 16.8 Mbits/sec
[ 6] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 8] 1.01-2.01 sec 1.00 MBytes 8.42 Mbits/sec
[ 10] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 12] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 14] 1.01-2.01 sec 640 KBytes 5.27 Mbits/sec
[ 16] 1.01-2.01 sec 768 KBytes 6.32 Mbits/sec
[ 18] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 20] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 22] 1.01-2.01 sec 896 KBytes 7.37 Mbits/sec
[SUM] 1.01-2.01 sec 9.12 MBytes 76.9 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 2.01-3.00 sec 1.38 MBytes 11.6 Mbits/sec
[ 6] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 8] 2.01-3.00 sec 1.00 MBytes 8.44 Mbits/sec
[ 10] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 12] 2.01-3.00 sec 640 KBytes 5.27 Mbits/sec
[ 14] 2.01-3.00 sec 1.12 MBytes 9.49 Mbits/sec
[ 16] 2.01-3.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 18] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 20] 2.01-3.00 sec 1.12 MBytes 9.49 Mbits/sec
[ 22] 2.01-3.00 sec 1.25 MBytes 10.5 Mbits/sec
[SUM] 2.01-3.00 sec 10.4 MBytes 87.6 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec
[ 6] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[ 8] 3.00-4.00 sec 640 KBytes 5.24 Mbits/sec
[ 10] 3.00-4.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 12] 3.00-4.00 sec 768 KBytes 6.29 Mbits/sec
[ 14] 3.00-4.00 sec 896 KBytes 7.34 Mbits/sec
[ 16] 3.00-4.00 sec 1.50 MBytes 12.6 Mbits/sec
[ 18] 3.00-4.00 sec 896 KBytes 7.34 Mbits/sec
[ 20] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[ 22] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[SUM] 3.00-4.00 sec 11.0 MBytes 92.3 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 6] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 8] 4.00-5.01 sec 896 KBytes 7.27 Mbits/sec
[ 10] 4.00-5.01 sec 1.62 MBytes 13.5 Mbits/sec
[ 12] 4.00-5.01 sec 768 KBytes 6.24 Mbits/sec
[ 14] 4.00-5.01 sec 768 KBytes 6.24 Mbits/sec
[ 16] 4.00-5.01 sec 1.12 MBytes 9.35 Mbits/sec
[ 18] 4.00-5.01 sec 1.12 MBytes 9.35 Mbits/sec
[ 20] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 22] 4.00-5.01 sec 1.50 MBytes 12.5 Mbits/sec
[SUM] 4.00-5.01 sec 10.8 MBytes 89.4 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 5.01-6.00 sec 768 KBytes 6.34 Mbits/sec
[ 6] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 8] 5.01-6.00 sec 896 KBytes 7.40 Mbits/sec
[ 10] 5.01-6.00 sec 1.75 MBytes 14.8 Mbits/sec
[ 12] 5.01-6.00 sec 1.25 MBytes 10.6 Mbits/sec
[ 14] 5.01-6.00 sec 640 KBytes 5.29 Mbits/sec
[ 16] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 18] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 20] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 22] 5.01-6.00 sec 1.38 MBytes 11.6 Mbits/sec
[SUM] 5.01-6.00 sec 10.6 MBytes 89.9 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 6.00-7.00 sec 896 KBytes 7.35 Mbits/sec
[ 6] 6.00-7.00 sec 768 KBytes 6.30 Mbits/sec
[ 8] 6.00-7.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 10] 6.00-7.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 12] 6.00-7.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 14] 6.00-7.00 sec 768 KBytes 6.30 Mbits/sec
[ 16] 6.00-7.00 sec 1.12 MBytes 9.45 Mbits/sec
[ 18] 6.00-7.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 20] 6.00-7.00 sec 1.12 MBytes 9.45 Mbits/sec
[ 22] 6.00-7.00 sec 896 KBytes 7.35 Mbits/sec
[SUM] 6.00-7.00 sec 10.5 MBytes 88.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 6] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 8] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 10] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 12] 7.00-8.00 sec 768 KBytes 6.30 Mbits/sec
[ 14] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 16] 7.00-8.00 sec 640 KBytes 5.25 Mbits/sec
[ 18] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 20] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 22] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[SUM] 7.00-8.00 sec 9.00 MBytes 75.6 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 8.00-9.01 sec 896 KBytes 7.29 Mbits/sec
[ 6] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 8] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 10] 8.00-9.01 sec 896 KBytes 7.29 Mbits/sec
[ 12] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 14] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 16] 8.00-9.01 sec 1.00 MBytes 8.33 Mbits/sec
[ 18] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 20] 8.00-9.01 sec 1.00 MBytes 8.33 Mbits/sec
[ 22] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[SUM] 8.00-9.01 sec 9.38 MBytes 78.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 9.01-10.01 sec 1.00 MBytes 8.34 Mbits/sec
[ 6] 9.01-10.01 sec 1.00 MBytes 8.34 Mbits/sec
[ 8] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 10] 9.01-10.01 sec 896 KBytes 7.30 Mbits/sec
[ 12] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 14] 9.01-10.01 sec 640 KBytes 5.21 Mbits/sec
[ 16] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 18] 9.01-10.01 sec 768 KBytes 6.26 Mbits/sec
[ 20] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 22] 9.01-10.01 sec 768 KBytes 6.26 Mbits/sec
[SUM] 9.01-10.01 sec 9.50 MBytes 79.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 11.4 MBytes 9.53 Mbits/sec sender
[ 4] 0.00-10.01 sec 11.3 MBytes 9.44 Mbits/sec receiver
[ 6] 0.00-10.01 sec 9.25 MBytes 7.75 Mbits/sec sender
[ 6] 0.00-10.01 sec 9.05 MBytes 7.58 Mbits/sec receiver
[ 8] 0.00-10.01 sec 9.50 MBytes 7.96 Mbits/sec sender
[ 8] 0.00-10.01 sec 9.35 MBytes 7.83 Mbits/sec receiver
[ 10] 0.00-10.01 sec 11.6 MBytes 9.74 Mbits/sec sender
[ 10] 0.00-10.01 sec 11.5 MBytes 9.62 Mbits/sec receiver
[ 12] 0.00-10.01 sec 8.75 MBytes 7.33 Mbits/sec sender
[ 12] 0.00-10.01 sec 8.60 MBytes 7.21 Mbits/sec receiver
[ 14] 0.00-10.01 sec 7.88 MBytes 6.60 Mbits/sec sender
[ 14] 0.00-10.01 sec 7.74 MBytes 6.49 Mbits/sec receiver
[ 16] 0.00-10.01 sec 10.4 MBytes 8.69 Mbits/sec sender
[ 16] 0.00-10.01 sec 10.2 MBytes 8.56 Mbits/sec receiver
[ 18] 0.00-10.01 sec 8.75 MBytes 7.33 Mbits/sec sender
[ 18] 0.00-10.01 sec 8.62 MBytes 7.22 Mbits/sec receiver
[ 20] 0.00-10.01 sec 9.50 MBytes 7.96 Mbits/sec sender
[ 20] 0.00-10.01 sec 9.27 MBytes 7.76 Mbits/sec receiver
[ 22] 0.00-10.01 sec 10.5 MBytes 8.80 Mbits/sec sender
[ 22] 0.00-10.01 sec 10.4 MBytes 8.71 Mbits/sec receiver
[SUM] 0.00-10.01 sec 97.5 MBytes 81.7 Mbits/sec sender
[SUM] 0.00-10.01 sec 96.0 MBytes 80.4 Mbits/sec receiver

 

If I have understood correctly (correct me if I am wrong), with the -P option, traffic can be tested with several concurrent streams.

By putting the parameter -P 10 I see that it arrives at a sum [SUM] of about 80Mbit/s which might also be acceptable for a 120 Mbit/s client-side internet connection.
Unfortunately, I do not have the possibility at the moment to test it with a faster connection.

 

Now my questions:

  • is this an acceptable speed for each stream or should it go faster?
  • when connected via vpn, it seems that only 1 stream is used. how can I tell that an SSL VPN user can take advantage of multiple streams?
  • how can I see if the DTLS tunnel is enabled on the fortigate side?
    I have tried this command, but I don't see it active in the configuration...

config vpn ssl settings
set dtls-tunnel enable
end

 

Thank you

P.S.: the iperf test from fortigate I can't get it going at the moment.

msolanki
Staff
Staff

Hi Lalu

You can take below step in consideration to solve this issue .
as you already enabled in DTLS on FGT and FCT which help to improve the traffic and can view it in application debug log
You can view the TDLS tunnel enable option by below commdand
FG config vpn ssl settings
FG (settings) # get
enter and see output

1. change the value of the minimum tls version from 1-1 to 1-2 under sslvpn setting

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/587408/ssl-vpn-troubleshooting
https://community.fortinet.com/t5/FortiGate/Technical-Note-Using-DTLS-to-improve-SSL-VPN-performance...


2. If the communication network has a lower MTU value, but the client PC is not aware of it, it will send its MSS value of 1460 bytes to the server. The server will therefore think that the client can receive 1500 bytes (1460 MSS layer4 +20 ip header +20 TCP header) and will send a packet with a size of 1500 bytes. Now if the MTU is lower somewhere in the path, then the packet can be fragmented. If the DF (don't fragment) bit is set then the packet can be dropped, which can cause delays or slowness in the network.


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

config firewall policy
edit <policy id>
tcp-mss-sender 1300
tcp-mss-receiver 1300
end

3. disable npu offload in policy and check.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-NP-offloading-in-security-policy...

Thanks

Madhav

lalu
New Contributor II

This is the SSL VPN settings

 

status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : Fortinet_Factory
algorithm : high
idle-timeout : 14400
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix : domain.local
dns-server1 : 10.0.10.1
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 10443
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : my-split-tunnel-portal
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : 8020
web-mode-snat : disable
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0


MTU/MSS
it is possible to ping with a size of 1364, but not with 1365
MTU = 1364 + 28 = 1392
TCP MSS = 1392 - 40 = 1352

 

Applied to SSL VPN policy
set tcp-mss-sender 1352
set tcp-mss-receiver 1352

 

 

npu offload disabled

 

nothing changed

Yurisk
Valued Contributor

Few thoughts on your tests:

  • Yes, -P n runs n sessions simultaneously 
  • To see DTLS setting currently active, enter config vpn ssl settings then issue get and look for DTLS setting.
  • Running multiple TCP iperf3 sessions and reaching ~80 Mbit/sec proves that client's ISP, Fortigate, and Forticlient are potentially able to give that much of a throughput inside the VPN tunnel. The maximum possible speed in a single session TCP can be calculated depending on the latency (23 msec is quite good), packet loss (may be worth separate check), and TCP Window size on the PCs running the iperf3 test. You can calculate here https://www.switch.ch/network/tools/tcp_throughput/?mss=1460&rtt=23&loss=1e-06&bw=100&rtt2=23&win=64...
     the result for 23 msec tells that "maximum throughput with a TCP window of 64 KByte and RTT of 23.0 ms <= 22.80 Mbit/sec."  This is the theoretical max in a single session, but given ~0% packet loss, and MSS of 1460 which is sure not the case with IPSec, where IPSec lowers MTU  by 40 bytes at least.  Given all that, to try and better the performance, I'd suggest:
  1. Make sure there is no packet loss between sites.
  2. Try to increase TCP WIndow size - easy to do in Linux (and if on new kernels it is already big), not so in Windows 10. 
  3. Try lowering TCP MSS/MTU on the end PC, changing MTU is easier but will cause network troubles to the user with other services, most probably.
  4. To circumvent TCP limitations on the client host, try iperf3 but UDP test (-u -b <desired bandwidth>), at least for a test. 
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors