The unit is set up with FortiOS 5.2.2 and has the wan1 port connected to the ISP with PPPoE (1Gb subscription).
If I connect the laptop or computer directly with PPPoE to the ISP I get ~800 Mb throughput (tested with speedtest, ISP's own speedtest and torrents). When I connect the Fortigate unit the throughput is capped at ~190 Mb (~140 with 5.2.5) and the unit stops responding (CPU 100%).
I tried the following configurations:
- internal lan in switch mode or in interface mode (hardware switch)
- tried with firmwares 5.0.10 and 5.2.1
The MTU for the PPPoE is 1492 so I also tried with mtu-overrride 1492 and still the same
The unit behaves the same in every situation high cpu and capped througput.
All the UTM features are turned off. All the tests are done with the basic configuration, just a policy from internal to wan1..
Also another strange thing is that when I test with the download limited ~100Mb so that the unit doesn't completely freeze I can see from the top command that the CPU is 50% hogged by the system, however there is no process in the list with that high of a load (if you add all the processes they add up to max 10%).
Any ideas would be greatly appreciated ..
I also noticed that the traffic is not going through the NP4Lite so I guess the 'Supports firewall acceleration across all packet sizes for maximum throughput' on the FGT 60D spec sheet on Fortinet website might be false advertising.
Update: There is no way that I found for a 60D to reach gigabit speeds on PPPoE connection. Max throughput is 140 Mb.
A workaround is to have another router in front of the 60D to do the PPPoe connection ( i got a Ubiquiti Edgemax Lite router for 100E that works amazing)
Best regards,
Andrei
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I had the same issue with the 60d and gigabit internet with PPPOE. I never found a good solution, so I decided to upgrade. After weighing my options, sticking with an upgraded Fortigate seemed like the best bet (as opposed to going with a PFSense box, which would probably have been at least as expensive, or a Ubiquity EdgeRouter). My only question was would the 60e be able to handle the traffic.
I ended up going with the 80e for the extra ports, but the 60e should perform similarly. And yes, this device can more than handle PPPOE encapsulation and hit gigabit speeds without coming close to maxing out.
Hope that helps anyone considering an upgrade but not wanting to because they don't know if it will solve their bottleneck.
My thought on this problem is that the PPPoE traffic is being handled by the CPU of Fortigate 60D and that the traffic is not offloaded to the SoC NP lite chipset. As a consequence all the traffic going through the Fortigate is going through the CPU of the Fortigate which leads to a high CPU usage and lower performance compared to offloaded Firewall traffic. This problem seems to be triggered with rate above 100Mbps.
Usually PPPoE links are used for DSL traffic level which are up to 30Mbps. It is ununsual to see this kind of connectivity on links above 100Mbps.
A good work-around would be to move out of PPPoE which will bring you the double avantage of line-rate speed on Fortigate 60D as well as a standard MTU of 1500.
Has anyone submitted a support ticket for this problem in the past ?
I did yesterday.
Will update the post, when I receive an answer.
Cheers,
Bram
Did you get response from fortinet ?
Bram1nat0r wrote:Has anyone submitted a support ticket for this problem in the past ?
I did yesterday.
Will update the post, when I receive an answer.
Cheers,
Bram
Any response to your ticket? I am seeing similar issues.
q
Dominik Weglarz, IT System Engineer
Did you check what process take % of CPU ?
diag debug en get sys status get sys perf status diag sys top 1 100
also check (during connection) :
diag debug reset diag debug enable diag debug application pppoed -1
Dominik Weglarz, IT System Engineer
I think xav_FTNT is right...
pretty sure the traffic from PPPoE can not be offloaded by NPU...
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
I think so as well - everything works right up until I press the connection to 200MBps in a speed test - dslreports, CenturyLink, etc.
Immediately once a host starts that speedtest the CPU goes to 100% and speed caps - the most I have gotten is 220MBps with every other host on the network shut down.
So, as a test, I have a CenturyLink C1100Z on the way to handle the PPPoE connection and will put the FG60D's WAN port in the DMZ of the C1100Z and see if that starts getting appropriate speeds.
If so, that works for me, but its pretty annoying that a PPPoE connection causes this much overhead on a unit at this price point.
Well, I installed a C1100Z from CenturyLink and put the FG 60D WAN Port in the DMZ and speed tests are now 900Mbps down and 900Mbps Up.
Problem solved. It is apparently the PPPoE overhead on the 60D - definitely disappointed in that since CenturyLink and many other telco FTTH implementations are using PPPoE to authenticate, but so be it.
It works, I get the speed and the security and if one fails, I guess I have a backup now.
I bet if you get away from the 60D and had a bigger security-fw that has more cpu, the peformance will improve. The additional adding and removing the pppoe header is probably being off-load to the cpu so this directly impacts performance when you run PPPoE. Any traffic that's punted to CPU is directly impacted by any interrupts that the cpu is handling. The same is true with a smaller SOHO cisco router for example.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.