Throughput of SSL VPN and Passthrough SSL VPN

marugby · ‎07-04-2016

Hello All,

I am in desperate need for assistance. I have an 80C as my perimeter firewall, and an ASA 5505 directly connected behind it.

[Internet] > 80C > ASA (DMZ)

Previously, the 5505 used to be the perimeter, and users would connect with AnyConnect for SSL VPN access, with zero issues with throughput (getting maximum bandwidth over the VPN) or MTU size. Now they are experiencing two issues:

1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.

2) Throughput over the VPN is far from the maximum 70mbps that 80Cs can handle (getting about 3-4mbps). I have confirmed this via my phone, as well as my laptop over many different connections to ensure the connection I was using wasn't causing the issue.

As a fix, I configured SSL VPN on the 80C, and don't have the MTU issue, but throughput is still dog slow (about 10% of what the speed should be). What I find weird is: if I connect off one of the internal ports (essentially, my LAN) via AnyConnect to the ASA (so LAN > DMZ), I get no MTU issues and full throughput.

I have no security profiles on the policies for the passthrough traffic to ensure that is not bottlenecking anything, but the fact that I have the throughput issues on AnyConnect and FortiClient is puzzling.

Finally, I had a spare 80C that I spun up and only configured the passthrough SSL VPN and the Fortigate's SSL VPN and still have the same issue, so I have confirmed it is not the unit.

Is this due to the fact that the ASA is using the designated "DMZ" port? Or is there something I am missing.

Any help would be greatly appreciated.

Thank you.

marugby · ‎07-08-2016

Anyone have any insight into this?

I will note that I realized I never PAT'd UDP 443 for DTLS, so the AnyConnect VPN throughput is up to about 25mbps download and about 15mbps upload, but I would rather use FortiClient and remove the ASA's VPN altogether.

kallbrandt · ‎07-10-2016

What kind of ISP connection do you have?

Post the config of the 80C here and I'll take a look.

Richie

NSE7

emnoc · ‎07-10-2016

What i would do is to look for errors on any interfaces on the FGT

e.g ( wan1 & dmz interface )

diag hardware deviceinfo nic wan1 | grep rror

diag hardware deviceinfo nic dmz1 | grep rror

diag hardware deviceinfo nic wan1 | grep peed

diag hardware deviceinfo nic dmz1 | grep peed

2nd,

1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.

The above bold is not going to be helpful on the SSL encrypted tunnel traffic, thought I would point that out

3rd,

Do be quick to rule the FGT80C as the culprit. We had a similar issue but with a 310 and after we introduce it our problem boil down that at the same time we place the FGT and a ASA downstream that our ISP had traffic issues and was dropping tcp and specifically HTTPS traffic. I would place a anyconnect cliet on the "perimeter" interface of the FGT80C and see if the performance increases or decrease.

PCNSE

NSE

StrongSwan

marugby · ‎07-10-2016

WAN shows no errors. DMZ doesn't have any error information.

I have attached the SSL VPN config, as I don't necessarily want to attach my entire config. Please note that the ISP connection is a residential connection (this is an off-site lab at my home), so thus I use DHCP from Verizon FIOS. However, given that I am able to get 25mbps download and 15mbps upload now through the AnyConnect client, I tend to doubt that that the ISP is causing issues with the traffic, and have a dedicated 50mb circuit from them.

Something you'll notice is that I set the encryption down to the low setting to see if this would improve throughput, but had no success.

Thank you for your help

----------------------------------------------------------------------------

//error and speed checks

# diag hardware deviceinfo nic wan1 | grep rror

Rx_Errors 0

Tx_Errors 0

Rx_Length_Errors 0

Rx_Over_Errors 0

Rx_CRC_Errors 0

Rx_Frame_Errors 0

Rx_FIFO_Errors 0

Rx_Missed_Errors 0

Tx_Aborted_Errors 0

Tx_Carrier_Errors 0

Tx_FIFO_Errors 0

Tx_Heartbeat_Errors 0

Tx_Window_Errors 0

# diag hardware deviceinfo nic wan1 | grep peed

Speed 1000

#####################################

# diag hardware deviceinfo nic dmz | grep rror

#

----------------------------------------------------------------------------

config vpn ssl settings

set servercert "Fortinet_Factory"

set algorithm low

set idle-timeout 3000

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

set dns-server1 8.8.8.8

set dns-server2 4.2.2.2

set source-interface "wan1"

set source-address "all"

set source-address6 "all"

set default-portal “tunnel-all”

config authentication-rule

edit 1

set groups "SSL_VPN"

set portal “tunnel-all”

end

----------------------------------------------------------------------------

config vpn ssl web portal

edit “tunnel-all”

set tunnel-mode enable

set ipv6-tunnel-mode enable

set web-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable

set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

config bookmark-group

edit "Bookmarks"

set display-forticlient-download disable

set display-history disable

set page-layout double-column

----------------------------------------------------------------------------

config system interface

edit "ssl.root"

set vdom "root"

set allowaccess capwap

set vlanforward enable

set type tunnel

set alias "sslvpn tunnel interface"

set snmp-index 4

----------------------------------------------------------------------------

onfig firewall policy

edit 29

set srcintf "ssl.root" <---

set dstintf "internal1"

set srcaddr "SSLVPN_TUNNEL_ADDR1"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set groups "SSL_VPN"

set srcintf "ssl.root" <---

set dstintf "wan1"

set srcaddr "SSLVPN_TUNNEL_ADDR1"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

set nat enable

set srcintf "ssl.root" <---

set dstintf "dmz"

set srcaddr "SSLVPN_TUNNEL_ADDR1"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set logtraffic all

kallbrandt · ‎07-11-2016

Ok, do a "diagnose netlink interface list | grep wan1" and post the output here.

(if wan1 is your interface connected to Verizon).

What mtu size does it report?

Do the same with your ASA when plugged into the Verizon and check if you get the same mtu value on the interface.

Kind of a longshot though, since the output above showed no errors...

Richie

NSE7

marugby · ‎07-11-2016

No difference, both are 1500.

//FGT

# diag netlink interface list | grep wan1 if=wan1 family=00 type=1 index=4 mtu=1500 link=0 master=0

#

------------------------------------------------------------

//ASA

# sh int outside | grep MTU MAC address ****.****.****.d1ba, MTU 1500 #

emnoc · ‎07-11-2016

Did you try the suggestion of plugging a client directly on wan1 and testing just the SSLVPN to the ASA ( anyconnect ) and the SSLVPN portal? ( not at the same time )

If you are getting a reduce rate, that's the rate your getting and not related to the ISP. FTNT really bastardize the SSL performance of most firewall in the SOHO and these rates are not 100% correct imho.

With that said, I would expect a FGT80C to do better than 25mbps but keep in mind the IPSEC performance for this older firewall is only 80mbps and your not going to get that with SSLVPN.

PCNSE

NSE

StrongSwan