Hello,
I have a established a VPN between a 300D and a 60D. Users are facing slowness issues.
I have noticed a weird thing! the MTU of the VPN interface is 1446 (enc 3DES) but when I ping remote machines with datasize of 1478 it fails first then it works (ping -f -l 1478 x.x.x.x)
For me, the value shouldn't be bigger than 1418 (as the ping has size of 28 bytes.
I also tried to set MSS on both policies (in/out) on both firewalls to avoid the latency but it didn't help.
Can you help on this topic?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
any help?
Which firmware are you using in the Fortigates?
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
5.4.4
We also facing almost same issues with slow vpn (ipsec and SSL) , what are the specs of the WAN connection? 100mbit+?
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
~30mbits
both sites are 30mbit?
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
yes. did you manage to solve your issues?
No, in our case is has to do with an WAN line that is 100+ Mbit.
That should be fixed in 5.6.x .
In your case the first suggestion is to upgrade to 5.4.6 because there are some IPSec fixes in that release.
FortiAnalyzer / 6.4.0
FortiClient / 6.2.6 FortiClient EMS VM / 6.2.6
FortiGate 300D HA 6.2.4 FortiGate 500E HA 6.2.4 FortiGate 30E / 60E / 100E / 6.0.9 FortiMail VM HA / 6.4.0 FortiSandbox VM / 3.2.0
FortiWeb VM / 6.3.2
FortiManager VM / 6.4.0
We use a lot of FG60D on our own fiber (3-400 units). They should be able to push 5-700Mbps IF you don't bother it with things to process in CPU. That would be traffic shaping, priority, IPS, BFD etc.
To see the MTU of the interface:
# fnsysctl ifconfig IPSEC IPSEC Link encap:Unknown [size="2"] UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1[/size] RX packets:173295762 errors:0 dropped:0 overruns:0 frame:0 TX packets:194955503 errors:46 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:54308250008 (50.6 GB) TX bytes:19829754658 (18.5 GB)
In this case, with 28B Ethernet header, you should get 1410B payload through without fragmentation:
# execute ping-options df-bit yes
# execute ping-options data-size 1410
# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1410 data bytes 1418 bytes from 172.18.76.12: icmp_seq=0 ttl=255 time=1.0 ms
# execute ping-options data-size 1411
# execute ping 172.18.76.12 PING 172.18.76.12 (172.18.76.12): 1411 data bytes
--- 172.18.76.12 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss
You should also verify that the traffic is indeed offloaded to the NPU and that none of the parameters under SOFTWARE are >0;
# diag vpn ipsec status (...) SOFTWARE: null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0
-- Bjørn Tore
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.