Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jcvm
New Contributor III

problems with VPN IPsec Site to Site

Hello,

 

I need help, I have an IPsec VPN created and it is connected at both ends, the PING works perfectly between computers but I cannot transfer even 0.5Kbps between computers.

 

jcvm_0-1641312287636.png

 

i have a Fotigate 100F OS7

8 REPLIES 8
Anonymous
Not applicable

Hello @jcvm ,

 

                    Welcome to Fortinet community and Thank you for your post. Hopefully, you've been keeping safe and doing well!

 

Have you verified if the wan speed on both sites are good? If the speed from the local to internet on both ends seems alright, then  we can try tweaking some settings on the VPN or the VPN policy to look further. Hope to hear back from you.

 

Regards

jcvm
New Contributor III

Hello @Anonymous ,

 

Site A's WAN is 500/500 Mbps connection and Site B's WAN connection is 950/950 Mbps.

 

I have read a lot in the forums that many people have problems with slow data transfers with IPsec but nobody says how to solve it.

 

I would like you to guide me with the best configuration so that everything flows better.

 

Yurisk
SuperUser
SuperUser

What latency do you get inside VPN tunnel between hosts with ping?

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
AlexC-FTNT
Staff
Staff

Check the policy that allows the traffic through the tunnel (both sides of the tunnel) - it may only allow ICMP, or not allow return traffic. 
Then make sure the traffic enters the tunnel interface (packet capture both sides).
You may need to disable asic accelleration on both ends to see the packets.
And last but not least - do all these checks after bringing down and then up the tunnel. The tunnel may show up to the remote ISP router, but there may be no real connection to remote FG (you can see if VPN phase2 is flapping in the VPN event logs)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
dannylee0307
New Contributor

Hi @jcvm 

 

You are using route-based VPN or Policy-Based VPN? 

I think you can try use diagnose sniffer packet with check both site have any error packet or drop packet.

Danny Lee
Danny Lee
jcvm
New Contributor III

After reviewing all the configurations I have noticed that the problem is in the transfer of large files.

When I try to transfer a file of 100mb this file does not exceed 400 kbps and I do not understand why.

 

This is a tunnel speed test.

[ ID] Interval Transfer Bandwidth
[ 4] 0.00-1.00 sec 1.11 MBytes 9.29 Mbits/sec
[ 4] 1.00-2.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 2.00-3.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 3.00-4.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 4.00-5.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 5.00-6.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 6.00-7.00 sec 1.24 MBytes 10.4 Mbits/sec
[ 4] 7.00-8.00 sec 1.33 MBytes 11.1 Mbits/sec
[ 4] 8.00-9.00 sec 1.32 MBytes 11.1 Mbits/sec
[ 4] 9.00-10.00 sec 1.32 MBytes 11.1 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 4] 0.00-10.00 sec 13.1 MBytes 11.0 Mbits/sec sender
[ 4] 0.00-10.00 sec 13.1 MBytes 11.0 Mbits/sec receiver

 

Anonymous
Not applicable

Hello @jcvm 

 

                Can you check if there is any IPsec VPN interface level  packet drop? Also please verify the MTU size of the tunnel interface on both ends. Commands that gives you the very same information can be found in the below article

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPN-tunnel-errors-wi...

 

Hope to hear back from you.

 

Regards

network360_2021
New Contributor

please check below points

1. Check  if Traffic Shaping policy is applied in IPSEC traffic

2. Check ipsec Interface Error [diagnose netlink interface list <Phase 1 name> ] Rxe and TXe value

3. check MSS and MTU values[ try to find out MTU value from source to destination using ping -- command [ping x.x.x.x -f -l 1000] where 1000 is  size of the packet in byte ,, try to increase MTU value  and check end to end MTU value .  if the value is smaller than default value adjust MSS value in the ipsec VPN policy - normally MSS value is calculated by MTU-40byte .

 

 

Thanks,

Network360

https://www.youtube.com/channel/UCSQUIhnEgz2-6JP_ykhIMUw

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors