Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
elyes
New Contributor

traffic flow over IPsec very slow

Hello,

I have a established a VPN between a 300D and a 60D. Users are facing slowness issues.

I have noticed a weird thing! the MTU of the VPN interface is 1446 (enc 3DES) but when I ping remote machines with  datasize of 1478 it fails first then it works (ping -f -l 1478  x.x.x.x)

For me, the value shouldn't be bigger than 1418 (as the ping has size of 28 bytes.

I also tried to set MSS on both policies (in/out) on both firewalls to avoid the latency but it didn't help.

 

Can you help on this topic?

Thanks

10 REPLIES 10
elyes
New Contributor

any help? 

Sebastiaan_Koopmans

Which firmware are you using in the Fortigates?

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

FortiAnalyzer / 6.4.0 FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6 FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0 FortiWeb VM / 6.3.2 FortiManager VM / 6.4.0
elyes

5.4.4

Sebastiaan_Koopmans

We also facing almost same issues with slow vpn (ipsec and SSL) , what are the specs of the WAN connection? 100mbit+?

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

FortiAnalyzer / 6.4.0 FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6 FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0 FortiWeb VM / 6.3.2 FortiManager VM / 6.4.0
elyes

~30mbits

Sebastiaan_Koopmans

both sites are 30mbit?

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

FortiAnalyzer / 6.4.0 FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6 FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0 FortiWeb VM / 6.3.2 FortiManager VM / 6.4.0
elyes

yes. did you manage to solve your issues?

Sebastiaan_Koopmans

No, in our case is has to do with an WAN line that is 100+ Mbit.

That should be fixed in 5.6.x .

In your case the first suggestion is to upgrade to 5.4.6 because there are some IPSec fixes in that release.

FortiAnalyzer / 6.4.0

FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6

FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0

FortiWeb VM / 6.3.2

FortiManager VM / 6.4.0

FortiAnalyzer / 6.4.0 FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6 FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0 FortiWeb VM / 6.3.2 FortiManager VM / 6.4.0
btp

We use a lot of FG60D on our own fiber (3-400 units). They should be able to push 5-700Mbps IF you don't bother it with things to process in CPU. That would be traffic shaping, priority, IPS, BFD etc.

 

To see the MTU of the interface:

# fnsysctl ifconfig IPSEC IPSEC   Link encap:Unknown [size="2"]        UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1[/size]         RX packets:173295762 errors:0 dropped:0 overruns:0 frame:0         TX packets:194955503 errors:46 dropped:0 overruns:0 carrier:0         collisions:0 txqueuelen:0         RX bytes:54308250008 (50.6 GB) TX bytes:19829754658 (18.5 GB)

 

In this case, with 28B Ethernet header, you should get 1410B payload through without fragmentation:

 

# execute ping-options df-bit yes

# execute ping-options data-size 1410

# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1410 data bytes 1418 bytes from 172.18.76.12: icmp_seq=0 ttl=255 time=1.0 ms

 

# execute ping-options data-size 1411

# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1411 data bytes

--- 172.18.76.12 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss

 

You should also verify that the traffic is indeed offloaded to the NPU and that none of the parameters under SOFTWARE are >0;

 

# diag vpn ipsec status (...) SOFTWARE:         null:   0 0         des:    0 0         3des:   0 0         aes:    0 0         aria:   0 0         seed:   0 0         null:   0 0         md5:    0 0         sha1:   0 0         sha256: 0 0         sha384: 0 0         sha512: 0 0

-- Bjørn Tore

-- Bjørn Tore
Labels
Top Kudoed Authors