Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
spzoz
New Contributor II

VPN speed capped in version 7.2.6

I have 100 Mbps internet connection and right after upgrading from 7.2.5 to 7.2.6 on my FortiGate-200F, the VPN dropped to max 30 Mbps. Anyone else has this problem?
After reverting to 7.2.5 it went back to normal.

19 REPLIES 19
AEK
Honored Contributor

You mean SSL VPN or IPsec?

If site to site, has the remote node been updated to the same as well?

AEK
AEK
spzoz
New Contributor II

SSL-VPN. After connecting via FortiClient transfer was capped at ~30 Mpbs

KumarV
Staff
Staff

Hello @spzoz,

 

If you have 100mbps link then 30-50 Mbps is want you can get max through SSLVPN because of its bigger header size. However, if you were getting good speeds with 7.2.5 then make sure under the ssl vpn settings if DTLS is enabled or not. By default it should be enable. But please cross check it. Also try to built dial-up ipsec for testing and see if you get speeds any better..

 

#config vpn ssl settings

#show

 

Regards

 

Kumarv

spzoz
New Contributor II

I never had to enable that option. It's not the matter of breaking connection but transfer cap. After going back to 7.2.5, I had full 100 Mbps transfer back (with no settings change on FortiGate/FortiClient). It has to be a firmware problem.

BillH_FTNT
Staff
Staff

Hi @spzoz 

 

If you have TAC ticket no pls share. I will make a test lab base on the configuration. Thanks

 

Regards

Bill

BillH_FTNT
Staff
Staff

I tested with 200F using Windows with Forticlient connected to firewall 7.2.6 build 1575. Then, use SFTP to download/upload traffic to other computers. It worked well with over 100M uploads and around 70M downloads. If you have a TAC ticket, pls share. I can test in the lab based on your configuration. Thanks
Regards

Bill

IntrinsicNetworkSols
New Contributor II

There's a known issue in 7.2.6. If data ingresses from a ten gig interface and leaves via a one gig (either single port or an aggregate), your throughput dies. Traffic in the opposite direction is not impacted. 

 

We've had this on a couple of HA clusters which we've had to downgrade back to 7.2.5. We've raised a ticket with TAC who don't seem to be treating it as an urgent bug (our ticket has been open for a week). 7.2.5 has it's own set of issues (SDWAN configurations get broken if you edit them) so we are not happy with this situation. We haven't been given the bug ID yet and it doesn't appear in the 7.2.6 known issues within the release notes. Frustrating. 

BillH_FTNT

Hi @IntrinsicNetworkSols 

This information is new to me—that traffic from 10G to 1G. We almost tested from 10G to 10G with various Hardware versions. Can you share what is your version? Or TAC ticket? We can get information from ticket and try it in our lab now. Thanks

RG/Bill

IntrinsicNetworkSols

Hi Bill

 

Thanks for the response. We had this issue on 2 pairs of 200Fs running 7.2.6. 

 

Both were in an HA cluster (Active / Standby). 

Internal VLANs were connected to a single ten gig port (x1)

Outside ports (connected direct to ISP) were 2 x 1 gig copper ports (ports14/15) in an aggregate. 

 

Our ISP termination is a 1 gig feed. 

 

At 7.2.6 our download speed from ISP to LAN is 900 Mbps +

At 7.2.6 our upload speed from LAN to ISP is max 30 Mbps.

 

This has been tested using iperf3 (we have an iperf3 server direct on the Internet) using multiple parallel streams and also UDP and TCP. We have also tried uploading using HTTPS - same result. 

 

We reverted to 7.2.5 and all performance issues go away and we get 900 Mbps in each direction with no other changes. 

 

A search on Reddit also shows other people with the same problems at 7.2.6. 

 

One example: 

 

https://www.reddit.com/r/fortinet/comments/17xhigo/200f_wan_traffic_out_super_slow_since_726/

 

 

 

 

Labels
Top Kudoed Authors