Welcome to Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!
Have you verified if the wan speed on both sites are good? If the speed from the local to internet on both ends seems alright, then we can try tweaking some settings on the VPN or the VPN policy to look further. Hope to hear back from you.
Check the policy that allows the traffic through the tunnel (both sides of the tunnel) - it may only allow ICMP, or not allow return traffic. Then make sure the traffic enters the tunnel interface (packet capture both sides). You may need to disable asic accelleration on both ends to see the packets. And last but not least - do all these checks after bringing down and then up the tunnel. The tunnel may show up to the remote ISP router, but there may be no real connection to remote FG (you can see if VPN phase2 is flapping in the VPN event logs)
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Can you check if there is any IPsec VPN interface level packet drop? Also please verify the MTU size of the tunnel interface on both ends. Commands that gives you the very same information can be found in the below article
1. Check if Traffic Shaping policy is applied in IPSEC traffic
2. Check ipsec Interface Error [diagnose netlink interface list <Phase 1 name> ] Rxe and TXe value
3. check MSS and MTU values[ try to find out MTU value from source to destination using ping -- command [ping x.x.x.x -f -l 1000] where 1000 is size of the packet in byte ,, try to increase MTU value and check end to end MTU value . if the value is smaller than default value adjust MSS value in the ipsec VPN policy - normally MSS value is calculated by MTU-40byte .
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.