Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kommgroup
New Contributor

Terrible Download Speeds on Fortigate 90D

Hi everyone. Thanks in advance for any help you can provide.

 

We have a Fortigate 90D and a 50Mbps (up and down) connection at our office. The speed test at http://speedof.me/ came up at approx 37Mbps up and down, which is fine, as I ran the test in the middle of the workday. HOWEVER, downloading files and other web activity can be painfully slow, sometimes as slow as 100KBps (!). I look at the bandwidth graph on the 90D and i see nothing to suggest that something is hogging bandwidth. The CPU is hovering around 10%.

 

Sometimes, downloads are fine. I downloaded a VMWare iso at 2.4MBps. Other times, the downloads are awful. I tried downloading a Windows Service Pack and it went at about 200KBps.

 

Any thoughts? I will provide whatever details I can.

 

 

6 REPLIES 6
ede_pfau
SuperUser
SuperUser

hi,

 

one reason for slow speeds on a fast line can be a mismatch of the MTU. If IP packets are larger than the MTU they need to be fragmented which can cause latency.

Your ISP should give you infos on the kind of connection and if there is a smaller MTU used than 1518 bytes.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
kommgroup

thanks! i will ask.

Dave_Hall
Honored Contributor

If you have any UTM features (mainly virus scanning) enabled on the policy covering the effected traffic, keep in mind that the fgt will try to buffer the entire file to it's max buffer size limit (usually 10 MB) before "releasing" it or dropping it (based on what is the default action).   (At least in proxy mode.)  This virus scanning does "slow down" the transfer rate; Fortinet use to publish actual "Antivirus Throughput" data on their datasheets, but appears to be "removed" from later models and/or balled into their NGFW throughput data.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ede_pfau

The proxy introduces a delay but does (ideally) not reduce the throughput. The data will be released to the host after scanning has finished at wirespeed.

 

Boils down to reasonable benchmark parameters: data sizes larger than any internal buffers (>> 10 MB), duration longer than any intermediate scanning delays (couple of minutes should do). The hardware in question is capable enough for 50 Mbps even with UTM features enabled.

 

Lately we've seen in the forums that PPPoE is handled by CPU in the current firmware versions which can bog down the CPU significantly. But that doesn't seem to be involved here.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rpedrica

Antivirus throughput is still there on the datasheets - it's called IPS now.

ede_pfau

@rpedrica: are you replying to the wrong thread? https://forum.fortinet.com/tm.aspx?m=132959 is better suited.

If so, you can delete your post from here using "Manage".

 

But even then, IPS is not AV - flow-based AV uses the IPS engine but that's not the same. As a coarse measure (rather, an upper limit) you can look at the IPS throughput if you want to evaluate the (flow-based) AV throughput.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors