Hi everybody,
I have the following situation:
Main office with Fortigate 60F with v7.0.6 build0366 and a 1 Gbit/s symmetrical fibre-optic internet connection. From Fortinet's specifications, the 60F model has an SSL-VPN Throughput of 900 Mbps. Server with Iperf connected by network cable to the firewall.
Laptop for teleworking uses a 120 Mbit/s symmetrical connection (measured with speedtest) and FortiClient v. 7.0.6.0290. Laptop connected with network cable to the router.
Performing a test via SSL VPN with Iperf3 results in a ridiculous average speed of 5.45 Mbit/s
[ 4] local 10.212.134.200 port 51073 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 1.12 MBytes 9.30 Mbits/sec
[ 4] 1.01-2.01 sec 512 KBytes 4.23 Mbits/sec
[4] 2.01-3.01 sec 384 KBytes 3.14 Mbits/sec
[ 4] 3.01-4.00 sec 640 KBytes 5.27 Mbits/sec
[4] 4.00-5.01 sec 640 KBytes 5.20 Mbits/sec
[ 4] 5.01-6.00 sec 640 KBytes 5.29 Mbits/sec
[ 4] 6.00-7.01 sec 896 KBytes 7.31 Mbits/sec
[ 4] 7.01-8.01 sec 640 KBytes 5.20 Mbits/sec
[ 4] 8.01-9.01 sec 640 KBytes 5.28 Mbits/sec
[4] 9.01-10.01 sec 512 KBytes 4.18 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 6.50 MBytes 5.45 Mbits/sec sender
[4] 0.00-10.01 sec 6.50 MBytes 5.45 Mbits/sec receiver
What could be the problem?
thanks for any ideas
Regards
Luca
UPDATE:
Test with IPSec VPN: even worse performance
[ 4] local 10.0.11.200 port 57036 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 256 KBytes 2.07 Mbits/sec
[ 4] 1.01-2.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 2.00-3.00 sec 0.00 Bytes 0.00 bits/sec
[ 4] 3.00-4.01 sec 384 KBytes 3.12 Mbits/sec
[ 4] 4.01-5.01 sec 256 KBytes 2.10 Mbits/sec
[ 4] 5.01-6.00 sec 256 KBytes 2.10 Mbits/sec
[ 4] 6.00-7.01 sec 128 KBytes 1.04 Mbits/sec
[ 4] 7.01-8.00 sec 128 KBytes 1.06 Mbits/sec
[ 4] 8.00-9.01 sec 256 KBytes 2.08 Mbits/sec
[ 4] 9.01-10.01 sec 256 KBytes 2.11 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 1.88 MBytes 1.57 Mbits/sec sender
[ 4] 0.00-10.01 sec 1.70 MBytes 1.43 Mbits/sec receiver
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'd also take into consideration the latency inside the VPN tunnel, what is it?
Additionally, running iperf3 with multiple sessions would be helpful as well -p 5 , -p 10
BTW, have you tried running iperf3 on the Fortigate itself, just in case? https://yurisk.info/2020/01/24/fortigate-iperf-traffic-test-built-in-client-cli/
Created on 07-31-2022 04:03 AM Edited on 07-31-2022 04:14 AM
Hi Yurisk, thank you for your response.
This is a ping beetwen the client and the server on the main office.
The latency is 23ms.
Pinging 10.0.10.60 with 32 bytes of data:
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Reply from 10.0.10.60: bytes=32 time=23ms TTL=63
Ping statistics for 10.0.10.60:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 23ms, Maximum = 23ms, Average = 23ms
I did some research and saw the option "Preferred DTSL Tunnel".
With "Preferred DTLS Tunnel" option enable on the FortiClient it's improve a little (x3).
Connecting to host 10.0.10.60, port 5201
[ 4] local 10.212.134.200 port 60359 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 3.25 MBytes 26.9 Mbits/sec
[ 4] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 4] 2.01-3.01 sec 1.12 MBytes 9.47 Mbits/sec
[ 4] 3.01-4.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 4] 4.00-5.00 sec 1.88 MBytes 15.8 Mbits/sec
[ 4] 5.00-6.01 sec 1.62 MBytes 13.5 Mbits/sec
[ 4] 6.01-7.00 sec 1.25 MBytes 10.6 Mbits/sec
[ 4] 7.00-8.01 sec 1.88 MBytes 15.6 Mbits/sec
[ 4] 8.01-9.00 sec 1.62 MBytes 13.7 Mbits/sec
[ 4] 9.00-10.01 sec 2.12 MBytes 17.8 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 17.4 MBytes 14.6 Mbits/sec sender
[ 4] 0.00-10.01 sec 17.2 MBytes 14.4 Mbits/sec receiver
This is the output with -P 10 option and "Preferred DTLS Tunnel" enabled on Forticlient.
Connecting to host 10.0.10.60, port 5201
[ 4] local 10.212.134.200 port 65515 connected to 10.0.10.60 port 5201
[ 6] local 10.212.134.200 port 65516 connected to 10.0.10.60 port 5201
[ 8] local 10.212.134.200 port 65518 connected to 10.0.10.60 port 5201
[ 10] local 10.212.134.200 port 65519 connected to 10.0.10.60 port 5201
[ 12] local 10.212.134.200 port 65520 connected to 10.0.10.60 port 5201
[ 14] local 10.212.134.200 port 65521 connected to 10.0.10.60 port 5201
[ 16] local 10.212.134.200 port 65522 connected to 10.0.10.60 port 5201
[ 18] local 10.212.134.200 port 65523 connected to 10.0.10.60 port 5201
[ 20] local 10.212.134.200 port 65524 connected to 10.0.10.60 port 5201
[ 22] local 10.212.134.200 port 65525 connected to 10.0.10.60 port 5201
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 6] 0.00-1.01 sec 512 KBytes 4.14 Mbits/sec
[ 8] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 10] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 12] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[ 14] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 16] 0.00-1.01 sec 896 KBytes 7.25 Mbits/sec
[ 18] 0.00-1.01 sec 768 KBytes 6.22 Mbits/sec
[ 20] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[ 22] 0.00-1.01 sec 640 KBytes 5.18 Mbits/sec
[SUM] 0.00-1.01 sec 7.25 MBytes 60.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 1.01-2.01 sec 2.00 MBytes 16.8 Mbits/sec
[ 6] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 8] 1.01-2.01 sec 1.00 MBytes 8.42 Mbits/sec
[ 10] 1.01-2.01 sec 1.38 MBytes 11.6 Mbits/sec
[ 12] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 14] 1.01-2.01 sec 640 KBytes 5.27 Mbits/sec
[ 16] 1.01-2.01 sec 768 KBytes 6.32 Mbits/sec
[ 18] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 20] 1.01-2.01 sec 384 KBytes 3.16 Mbits/sec
[ 22] 1.01-2.01 sec 896 KBytes 7.37 Mbits/sec
[SUM] 1.01-2.01 sec 9.12 MBytes 76.9 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 2.01-3.00 sec 1.38 MBytes 11.6 Mbits/sec
[ 6] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 8] 2.01-3.00 sec 1.00 MBytes 8.44 Mbits/sec
[ 10] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 12] 2.01-3.00 sec 640 KBytes 5.27 Mbits/sec
[ 14] 2.01-3.00 sec 1.12 MBytes 9.49 Mbits/sec
[ 16] 2.01-3.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 18] 2.01-3.00 sec 896 KBytes 7.38 Mbits/sec
[ 20] 2.01-3.00 sec 1.12 MBytes 9.49 Mbits/sec
[ 22] 2.01-3.00 sec 1.25 MBytes 10.5 Mbits/sec
[SUM] 2.01-3.00 sec 10.4 MBytes 87.6 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 3.00-4.00 sec 1.62 MBytes 13.6 Mbits/sec
[ 6] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[ 8] 3.00-4.00 sec 640 KBytes 5.24 Mbits/sec
[ 10] 3.00-4.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 12] 3.00-4.00 sec 768 KBytes 6.29 Mbits/sec
[ 14] 3.00-4.00 sec 896 KBytes 7.34 Mbits/sec
[ 16] 3.00-4.00 sec 1.50 MBytes 12.6 Mbits/sec
[ 18] 3.00-4.00 sec 896 KBytes 7.34 Mbits/sec
[ 20] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[ 22] 3.00-4.00 sec 1.12 MBytes 9.44 Mbits/sec
[SUM] 3.00-4.00 sec 11.0 MBytes 92.3 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 6] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 8] 4.00-5.01 sec 896 KBytes 7.27 Mbits/sec
[ 10] 4.00-5.01 sec 1.62 MBytes 13.5 Mbits/sec
[ 12] 4.00-5.01 sec 768 KBytes 6.24 Mbits/sec
[ 14] 4.00-5.01 sec 768 KBytes 6.24 Mbits/sec
[ 16] 4.00-5.01 sec 1.12 MBytes 9.35 Mbits/sec
[ 18] 4.00-5.01 sec 1.12 MBytes 9.35 Mbits/sec
[ 20] 4.00-5.01 sec 1.00 MBytes 8.31 Mbits/sec
[ 22] 4.00-5.01 sec 1.50 MBytes 12.5 Mbits/sec
[SUM] 4.00-5.01 sec 10.8 MBytes 89.4 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 5.01-6.00 sec 768 KBytes 6.34 Mbits/sec
[ 6] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 8] 5.01-6.00 sec 896 KBytes 7.40 Mbits/sec
[ 10] 5.01-6.00 sec 1.75 MBytes 14.8 Mbits/sec
[ 12] 5.01-6.00 sec 1.25 MBytes 10.6 Mbits/sec
[ 14] 5.01-6.00 sec 640 KBytes 5.29 Mbits/sec
[ 16] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 18] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 20] 5.01-6.00 sec 1.00 MBytes 8.46 Mbits/sec
[ 22] 5.01-6.00 sec 1.38 MBytes 11.6 Mbits/sec
[SUM] 5.01-6.00 sec 10.6 MBytes 89.9 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 6.00-7.00 sec 896 KBytes 7.35 Mbits/sec
[ 6] 6.00-7.00 sec 768 KBytes 6.30 Mbits/sec
[ 8] 6.00-7.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 10] 6.00-7.00 sec 1.25 MBytes 10.5 Mbits/sec
[ 12] 6.00-7.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 14] 6.00-7.00 sec 768 KBytes 6.30 Mbits/sec
[ 16] 6.00-7.00 sec 1.12 MBytes 9.45 Mbits/sec
[ 18] 6.00-7.00 sec 1.38 MBytes 11.5 Mbits/sec
[ 20] 6.00-7.00 sec 1.12 MBytes 9.45 Mbits/sec
[ 22] 6.00-7.00 sec 896 KBytes 7.35 Mbits/sec
[SUM] 6.00-7.00 sec 10.5 MBytes 88.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 6] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 8] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 10] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 12] 7.00-8.00 sec 768 KBytes 6.30 Mbits/sec
[ 14] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 16] 7.00-8.00 sec 640 KBytes 5.25 Mbits/sec
[ 18] 7.00-8.00 sec 896 KBytes 7.35 Mbits/sec
[ 20] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[ 22] 7.00-8.00 sec 1.00 MBytes 8.40 Mbits/sec
[SUM] 7.00-8.00 sec 9.00 MBytes 75.6 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 8.00-9.01 sec 896 KBytes 7.29 Mbits/sec
[ 6] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 8] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 10] 8.00-9.01 sec 896 KBytes 7.29 Mbits/sec
[ 12] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 14] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 16] 8.00-9.01 sec 1.00 MBytes 8.33 Mbits/sec
[ 18] 8.00-9.01 sec 768 KBytes 6.25 Mbits/sec
[ 20] 8.00-9.01 sec 1.00 MBytes 8.33 Mbits/sec
[ 22] 8.00-9.01 sec 1.12 MBytes 9.38 Mbits/sec
[SUM] 8.00-9.01 sec 9.38 MBytes 78.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ 4] 9.01-10.01 sec 1.00 MBytes 8.34 Mbits/sec
[ 6] 9.01-10.01 sec 1.00 MBytes 8.34 Mbits/sec
[ 8] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 10] 9.01-10.01 sec 896 KBytes 7.30 Mbits/sec
[ 12] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 14] 9.01-10.01 sec 640 KBytes 5.21 Mbits/sec
[ 16] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 18] 9.01-10.01 sec 768 KBytes 6.26 Mbits/sec
[ 20] 9.01-10.01 sec 1.12 MBytes 9.38 Mbits/sec
[ 22] 9.01-10.01 sec 768 KBytes 6.26 Mbits/sec
[SUM] 9.01-10.01 sec 9.50 MBytes 79.2 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.01 sec 11.4 MBytes 9.53 Mbits/sec sender
[ 4] 0.00-10.01 sec 11.3 MBytes 9.44 Mbits/sec receiver
[ 6] 0.00-10.01 sec 9.25 MBytes 7.75 Mbits/sec sender
[ 6] 0.00-10.01 sec 9.05 MBytes 7.58 Mbits/sec receiver
[ 8] 0.00-10.01 sec 9.50 MBytes 7.96 Mbits/sec sender
[ 8] 0.00-10.01 sec 9.35 MBytes 7.83 Mbits/sec receiver
[ 10] 0.00-10.01 sec 11.6 MBytes 9.74 Mbits/sec sender
[ 10] 0.00-10.01 sec 11.5 MBytes 9.62 Mbits/sec receiver
[ 12] 0.00-10.01 sec 8.75 MBytes 7.33 Mbits/sec sender
[ 12] 0.00-10.01 sec 8.60 MBytes 7.21 Mbits/sec receiver
[ 14] 0.00-10.01 sec 7.88 MBytes 6.60 Mbits/sec sender
[ 14] 0.00-10.01 sec 7.74 MBytes 6.49 Mbits/sec receiver
[ 16] 0.00-10.01 sec 10.4 MBytes 8.69 Mbits/sec sender
[ 16] 0.00-10.01 sec 10.2 MBytes 8.56 Mbits/sec receiver
[ 18] 0.00-10.01 sec 8.75 MBytes 7.33 Mbits/sec sender
[ 18] 0.00-10.01 sec 8.62 MBytes 7.22 Mbits/sec receiver
[ 20] 0.00-10.01 sec 9.50 MBytes 7.96 Mbits/sec sender
[ 20] 0.00-10.01 sec 9.27 MBytes 7.76 Mbits/sec receiver
[ 22] 0.00-10.01 sec 10.5 MBytes 8.80 Mbits/sec sender
[ 22] 0.00-10.01 sec 10.4 MBytes 8.71 Mbits/sec receiver
[SUM] 0.00-10.01 sec 97.5 MBytes 81.7 Mbits/sec sender
[SUM] 0.00-10.01 sec 96.0 MBytes 80.4 Mbits/sec receiver
If I have understood correctly (correct me if I am wrong), with the -P option, traffic can be tested with several concurrent streams.
By putting the parameter -P 10 I see that it arrives at a sum [SUM] of about 80Mbit/s which might also be acceptable for a 120 Mbit/s client-side internet connection.
Unfortunately, I do not have the possibility at the moment to test it with a faster connection.
Now my questions:
config vpn ssl settings
set dtls-tunnel enable
end
Thank you
P.S.: the iperf test from fortigate I can't get it going at the moment.
Hi Lalu
You can take below step in consideration to solve this issue .
as you already enabled in DTLS on FGT and FCT which help to improve the traffic and can view it in application debug log
You can view the TDLS tunnel enable option by below commdand
FG config vpn ssl settings
FG (settings) # get
enter and see output
1. change the value of the minimum tls version from 1-1 to 1-2 under sslvpn setting
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/587408/ssl-vpn-troubleshooting
https://community.fortinet.com/t5/FortiGate/Technical-Note-Using-DTLS-to-improve-SSL-VPN-performance...
2. If the communication network has a lower MTU value, but the client PC is not aware of it, it will send its MSS value of 1460 bytes to the server. The server will therefore think that the client can receive 1500 bytes (1460 MSS layer4 +20 ip header +20 TCP header) and will send a packet with a size of 1500 bytes. Now if the MTU is lower somewhere in the path, then the packet can be fragmented. If the DF (don't fragment) bit is set then the packet can be dropped, which can cause delays or slowness in the network.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518
config firewall policy
edit <policy id>
tcp-mss-sender 1300
tcp-mss-receiver 1300
end
3. disable npu offload in policy and check.
Thanks
Madhav
This is the SSL VPN settings
status : enable
reqclientcert : disable
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-2
banned-cipher :
ciphersuite : TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
ssl-insert-empty-fragment: enable
https-redirect : disable
x-content-type-options: enable
ssl-client-renegotiation: disable
force-two-factor-auth: disable
servercert : Fortinet_Factory
algorithm : high
idle-timeout : 14400
auth-timeout : 28800
login-attempt-limit : 2
login-block-time : 60
login-timeout : 30
dtls-hello-timeout : 10
tunnel-ip-pools : "SSLVPN_TUNNEL_ADDR1"
tunnel-ipv6-pools : "SSLVPN_TUNNEL_IPv6_ADDR1"
dns-suffix : domain.local
dns-server1 : 10.0.10.1
dns-server2 : 0.0.0.0
wins-server1 : 0.0.0.0
wins-server2 : 0.0.0.0
ipv6-dns-server1 : ::
ipv6-dns-server2 : ::
ipv6-wins-server1 : ::
ipv6-wins-server2 : ::
url-obscuration : disable
http-compression : disable
http-only-cookie : enable
port : 10443
port-precedence : enable
auto-tunnel-static-route: enable
header-x-forwarded-for: add
source-interface : "wan1"
source-address : "all"
source-address-negate: disable
source-address6 : "all"
source-address6-negate: disable
default-portal : my-split-tunnel-portal
authentication-rule:
== [ 1 ]
id: 1
dtls-tunnel : enable
check-referer : disable
http-request-header-timeout: 20
http-request-body-timeout: 30
auth-session-check-source-ip: enable
tunnel-connect-without-reauth: disable
hsts-include-subdomains: disable
transform-backward-slashes: disable
encode-2f-sequence : disable
encrypt-and-store-password: disable
client-sigalgs : all
dual-stack-mode : disable
tunnel-addr-assigned-method: first-available
saml-redirect-port : 8020
web-mode-snat : disable
dtls-max-proto-ver : dtls1-2
dtls-min-proto-ver : dtls1-0
MTU/MSS
it is possible to ping with a size of 1364, but not with 1365
MTU = 1364 + 28 = 1392
TCP MSS = 1392 - 40 = 1352
Applied to SSL VPN policy
set tcp-mss-sender 1352
set tcp-mss-receiver 1352
npu offload disabled
nothing changed
Few thoughts on your tests:
Hi @lalu
do you solve the issue?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.