Hi,
we have speed problem on vxlan over ipsec connection between FGT100F and FGT60F. The tunnel works fine and the traffic is ok but the speed of a simple test with iperf is about only 2MB/s. (both sites have 1Gb/s symmetrical IPS connection). Any suggestions?
Thanks
Stefano
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Stéfano,
I did a recent layer 2 tunnel setup (ADVPN Less). I had to activate add the following configuration :
config system global
set honor-df disable
end
And add option in my phase1-interface Tunnel
set ip-fragmentation pre-encapsulation
I hope this will fix your problem as well.
Best regards,
Hi Julien,
thanks for your suggestions.
I tried with both of the solutions but the speed remains the same.
Any other suggestions?
Stefano
Hi Stefano,
No, sorry, I don't have any other options. I have very little use of level 2 tunneling.
You have open a case with support?
Hi Julien,
yes i already have a ticket open but it is open from about 2 month and there isn't solution yet.
Seems there is something that limit the bandwidth on vpn because i tried with different providers and get similar values. maybe it could be a sdwan problem? or problem of "HA cluster" ?
Stefano
Seems unlikely to be an SD-WAN issue or HA Cluster issue.
Have you done a packet capture on both sides? What does it look like? Any retransmissions, fragmentation? Can you post a snipped of what a capture looks like?
Wondering if you ever got this resolved? I have the same problem with IPsec + VXLAN on a combination of 40F, 81E, and virtual VM04. Tried every combination, initially I thought it was an MTU size issue due to IPSEC + VXLAN overhead. But I am actually able to send ping with DF bit set at 1472 payload which is the correct value using 1500 byte max minus the 8 byte ICMP and 20 byte IP header.
I have not been able to figure this out after 2 weeks of vxlan over ipsec full mesh testing between 4 different geographic locations about 12ms apart. So i doubt its the latency because to the Internet on these same firewalls to speedtest dot net, I am getting 900Mbps on a 1 Gbps Internet circuit.
Also like you, my CPU is not an issue. The maximum it will reach for the CPU is approximately 30% (usually less on my VM04 ) and 8% CPU on my 40F firewall. Both platforms hardware and virtual appliance transport will not exceed 60-70 Mbps when it has Internet circuits 1 Gbps.
Wondering if you ever figured it out? I'm at a loss at the moment and so few people are doing this function so its difficult to find any expert references with experience.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.