Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marugby
New Contributor

Throughput of SSL VPN and Passthrough SSL VPN

Hello All,

 

I am in desperate need for assistance. I have an 80C as my perimeter firewall, and an ASA 5505 directly connected behind it.

 

[Internet] > 80C > ASA (DMZ)

 

Previously, the 5505 used to be the perimeter, and users would connect with AnyConnect for SSL VPN access, with zero issues with throughput (getting maximum bandwidth over the VPN) or MTU size. Now they are experiencing two issues:

 

1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.

2) Throughput over the VPN is far from the maximum 70mbps that 80Cs can handle (getting about 3-4mbps). I have confirmed this via my phone, as well as my laptop over many different connections to ensure the connection I was using wasn't causing the issue.

 

As a fix, I configured SSL VPN on the 80C, and don't have the MTU issue, but throughput is still dog slow (about 10% of what the speed should be). What I find weird is: if I connect off one of the internal ports (essentially, my LAN) via AnyConnect to the ASA (so LAN > DMZ), I get no MTU issues and full throughput.

 

I have no security profiles on the policies for the passthrough traffic to ensure that is not bottlenecking anything, but the fact that I have the throughput issues on AnyConnect and FortiClient is puzzling. 

 

Finally, I had a spare 80C that I spun up and only configured the passthrough SSL VPN and the Fortigate's SSL VPN and still have the same issue, so I have confirmed it is not the unit.

 

Is this due to the fact that the ASA is using the designated "DMZ" port? Or is there something I am missing.

 

Any help would be greatly appreciated.

Thank you.

7 REPLIES 7
marugby
New Contributor

Anyone have any insight into this?

 

I will note that I realized I never PAT'd UDP 443 for DTLS, so the AnyConnect VPN throughput is up to about 25mbps download and about 15mbps upload, but I would rather use FortiClient and remove the ASA's VPN altogether.

kallbrandt

What kind of ISP connection do you have?

Post the config of the 80C here and I'll take a look.

 

Richie

NSE7

Richie NSE7
emnoc
Esteemed Contributor III

What i would do is to look for errors on any interfaces on the FGT

 

e.g ( wan1 & dmz interface )

 

diag hardware  deviceinfo nic wan1 | grep rror

diag hardware  deviceinfo nic dmz1 | grep rror

diag hardware  deviceinfo nic wan1 | grep peed

diag hardware  deviceinfo nic dmz1 | grep peed

 

2nd,

 

1) AnyConnect gives an error about MTU size being too low and disconnects. I have confirmed my end-users' machine's interface MTU is set to 1500, the interface on the ASA is set to 1500, and have set the "set tcp-mss-sender 1452" on the passthrough policies on my 80C on each of the policies for the passthrough traffic, but still users get disconnected because of MTU.

 

The above bold is not going to be helpful on the  SSL encrypted tunnel traffic, thought I would point that out

 

3rd,

 

Do be quick to rule the FGT80C as the culprit. We had a similar issue but with a 310 and after we introduce it  our problem boil down that at the same time we place the  FGT and a  ASA downstream that our ISP had traffic issues and was dropping  tcp and specifically HTTPS traffic. I would place a anyconnect cliet on the "perimeter" interface of the   FGT80C and see if the performance increases or decrease.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
marugby
New Contributor

WAN shows no errors. DMZ doesn't have any error information.

 

I have attached the SSL VPN config, as I don't necessarily want to attach my entire config. Please note that the ISP connection is a residential connection (this is an off-site lab at my home), so thus I use DHCP from Verizon FIOS. However, given that I am able to get 25mbps download and 15mbps upload now through the AnyConnect client, I tend to doubt that that the ISP is causing issues with the traffic, and have a dedicated 50mb circuit from them.

 

Something you'll notice is that I set the encryption down to the low setting to see if this would improve throughput, but had no success.

 

Thank you for your help

 

----------------------------------------------------------------------------

//error and speed checks

# diag hardware deviceinfo nic wan1 | grep rror

Rx_Errors 0

Tx_Errors 0

Rx_Length_Errors 0

Rx_Over_Errors 0

Rx_CRC_Errors 0

Rx_Frame_Errors 0

Rx_FIFO_Errors 0

Rx_Missed_Errors 0

Tx_Aborted_Errors 0

Tx_Carrier_Errors 0

Tx_FIFO_Errors 0

Tx_Heartbeat_Errors 0

Tx_Window_Errors 0

 

# diag hardware deviceinfo nic wan1 | grep peed

Speed 1000

 

#####################################

 

# diag hardware deviceinfo nic dmz | grep rror

 

#

 

----------------------------------------------------------------------------

 

config vpn ssl settings

    set servercert "Fortinet_Factory"

    set algorithm low

    set idle-timeout 3000

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    set dns-server1 8.8.8.8

    set dns-server2 4.2.2.2

    set source-interface "wan1"

    set source-address "all"

    set source-address6 "all"

    set default-portal “tunnel-all”

        config authentication-rule

            edit 1

                set groups "SSL_VPN"

                set portal “tunnel-all”

            next

        end

end

 

----------------------------------------------------------------------------

 

config vpn ssl web portal

    edit “tunnel-all”

        set tunnel-mode enable

        set ipv6-tunnel-mode enable

        set web-mode enable

        set ip-pools "SSLVPN_TUNNEL_ADDR1"

        set split-tunneling disable

        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

            config bookmark-group

                edit "Bookmarks"

                next

            end

        set display-forticlient-download disable

        set display-history disable

        set page-layout double-column

    next

end

 

----------------------------------------------------------------------------

 

config system interface

    edit "ssl.root"

        set vdom "root"

        set allowaccess capwap

        set vlanforward enable

        set type tunnel

        set alias "sslvpn tunnel interface"

        set snmp-index 4

    next

end

 

----------------------------------------------------------------------------

 

onfig firewall policy

    edit 29

        set srcintf "ssl.root" <---

        set dstintf "internal1"

        set srcaddr "SSLVPN_TUNNEL_ADDR1"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set groups "SSL_VPN"

    next

    edit 30

        set srcintf "ssl.root" <---

        set dstintf "wan1"

        set srcaddr "SSLVPN_TUNNEL_ADDR1"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set nat enable

    next

    edit 31

        set srcintf "ssl.root" <---

        set dstintf "dmz"

        set srcaddr "SSLVPN_TUNNEL_ADDR1"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set logtraffic all

    next

end

kallbrandt

Ok, do a "diagnose netlink interface list | grep wan1" and post the output here.

 

(if wan1 is your interface connected to Verizon).

 

What mtu size does it report?

 

Do the same with your ASA when plugged into the Verizon and check if you get the same mtu value on the interface.

 

Kind of a longshot though, since the output above showed no errors...

 

 

Richie

NSE7

Richie NSE7
marugby

No difference, both are 1500.

 

//FGT

# diag netlink interface list | grep wan1 if=wan1 family=00 type=1 index=4 mtu=1500 link=0 master=0

#

------------------------------------------------------------

//ASA

# sh int outside | grep MTU MAC address ****.****.****.d1ba, MTU 1500 #

emnoc
Esteemed Contributor III

Did you try  the suggestion of plugging a client directly on wan1 and testing just the SSLVPN to the ASA ( anyconnect ) and the SSLVPN portal? ( not at the same time )

 

If you are getting a reduce rate, that's the rate your getting and not related to the ISP. FTNT really bastardize the SSL performance of most firewall in the SOHO and these rates are not 100%  correct imho.

 

With that said, I would expect a FGT80C to do better than 25mbps but keep in mind the IPSEC performance for this older firewall is only 80mbps and your not going to get that with SSLVPN.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors