Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Throughput of SSL VPN and Passthrough SSL VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Throughput of SSL VPN and Passthrough SSL VPN
Hello All,
I am in desperate need for assistance. I have an 80C as my perimeter firewall, and an ASA 5505 directly connected behind it.
[Internet] > 80C > ASA (DMZ)
Previously, the 5505 used to be the perimeter, and users would connect with AnyConnect for SSL VPN access, with zero issues with throughput (getting maximum bandwidth over the VPN) or MTU size. Now they are experiencing two issues:
1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.
2) Throughput over the VPN is far from the maximum 70mbps that 80Cs can handle (getting about 3-4mbps). I have confirmed this via my phone, as well as my laptop over many different connections to ensure the connection I was using wasn't causing the issue.
As a fix, I configured SSL VPN on the 80C, and don't have the MTU issue, but throughput is still dog slow (about 10% of what the speed should be). What I find weird is: if I connect off one of the internal ports (essentially, my LAN) via AnyConnect to the ASA (so LAN > DMZ), I get no MTU issues and full throughput.
I have no security profiles on the policies for the passthrough traffic to ensure that is not bottlenecking anything, but the fact that I have the throughput issues on AnyConnect and FortiClient is puzzling.
Finally, I had a spare 80C that I spun up and only configured the passthrough SSL VPN and the Fortigate's SSL VPN and still have the same issue, so I have confirmed it is not the unit.
Is this due to the fact that the ASA is using the designated "DMZ" port? Or is there something I am missing.
Any help would be greatly appreciated.
Thank you.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone have any insight into this?
I will note that I realized I never PAT'd UDP 443 for DTLS, so the AnyConnect VPN throughput is up to about 25mbps download and about 15mbps upload, but I would rather use FortiClient and remove the ASA's VPN altogether.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What kind of ISP connection do you have?
Post the config of the 80C here and I'll take a look.
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What i would do is to look for errors on any interfaces on the FGT
e.g ( wan1 & dmz interface )
diag hardware deviceinfo nic wan1 | grep rror
diag hardware deviceinfo nic dmz1 | grep rror
diag hardware deviceinfo nic wan1 | grep peed
diag hardware deviceinfo nic dmz1 | grep peed
2nd,
1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.
The above bold is not going to be helpful on the SSL encrypted tunnel traffic, thought I would point that out
3rd,
Do be quick to rule the FGT80C as the culprit. We had a similar issue but with a 310 and after we introduce it our problem boil down that at the same time we place the FGT and a ASA downstream that our ISP had traffic issues and was dropping tcp and specifically HTTPS traffic. I would place a anyconnect cliet on the "perimeter" interface of the FGT80C and see if the performance increases or decrease.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN shows no errors. DMZ doesn't have any error information. I have attached the SSL VPN config, as I don't necessarily want to attach my entire config. Please note that the ISP connection is a residential connection (this is an off-site lab at my home), so thus I use DHCP from Verizon FIOS. However, given that I am able to get 25mbps download and 15mbps upload now through the AnyConnect client, I tend to doubt that that the ISP is causing issues with the traffic, and have a dedicated 50mb circuit from them. Something you'll notice is that I set the encryption down to the low setting to see if this would improve throughput, but had no success. Thank you for your help ----------------------------------------------------------------------------//error and speed checks# diag hardware deviceinfo nic wan1 | grep rrorRx_Errors 0Tx_Errors 0Rx_Length_Errors 0Rx_Over_Errors 0Rx_CRC_Errors 0Rx_Frame_Errors 0Rx_FIFO_Errors 0Rx_Missed_Errors 0Tx_Aborted_Errors 0Tx_Carrier_Errors 0Tx_FIFO_Errors 0Tx_Heartbeat_Errors 0Tx_Window_Errors 0 # diag hardware deviceinfo nic wan1 | grep peedSpeed 1000 ##################################### # diag hardware deviceinfo nic dmz | grep rror # ---------------------------------------------------------------------------- config vpn ssl settings set servercert "Fortinet_Factory" set algorithm low set idle-timeout 3000 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-server1 8.8.8.8 set dns-server2 4.2.2.2 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal “tunnel-all” config authentication-rule edit 1 set groups "SSL_VPN" set portal “tunnel-all” next endend ---------------------------------------------------------------------------- config vpn ssl web portal edit “tunnel-all” set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling disable set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" config bookmark-group edit "Bookmarks" next end set display-forticlient-download disable set display-history disable set page-layout double-column nextend ---------------------------------------------------------------------------- config system interface edit "ssl.root" set vdom "root" set allowaccess capwap set vlanforward enable set type tunnel set alias "sslvpn tunnel interface" set snmp-index 4 nextend ---------------------------------------------------------------------------- onfig firewall policy edit 29 set srcintf "ssl.root" <--- set dstintf "internal1" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "SSL_VPN" next edit 30 set srcintf "ssl.root" <--- set dstintf "wan1" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next edit 31 set srcintf "ssl.root" <--- set dstintf "dmz" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all nextend
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, do a "diagnose netlink interface list | grep wan1" and post the output here.
(if wan1 is your interface connected to Verizon).
What mtu size does it report?
Do the same with your ASA when plugged into the Verizon and check if you get the same mtu value on the interface.
Kind of a longshot though, since the output above showed no errors...
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No difference, both are 1500.
//FGT
# diag netlink interface list | grep wan1 if=wan1 family=00 type=1 index=4 mtu=1500 link=0 master=0
#
------------------------------------------------------------
//ASA
# sh int outside | grep MTU MAC address ****.****.****.d1ba, MTU 1500 #
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try the suggestion of plugging a client directly on wan1 and testing just the SSLVPN to the ASA ( anyconnect ) and the SSLVPN portal? ( not at the same time )
If you are getting a reduce rate, that's the rate your getting and not related to the ISP. FTNT really bastardize the SSL performance of most firewall in the SOHO and these rates are not 100% correct imho.
With that said, I would expect a FGT80C to do better than 25mbps but keep in mind the IPSEC performance for this older firewall is only 80mbps and your not going to get that with SSLVPN.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,729 -
FortiClient
1,771 -
5.2
801 -
FortiManager
734 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
247 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
FortiGate-VM
17 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1721 | |
| 1098 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.