Description
This article describes how to use DTLS to improve SSL VPN performance.
Occasionally, SSL VPN performance can be slower than expected. Since the SSL VPN encapsulates a TCP connection within another TCP connection, this can cause interference between timeouts, and other issues. See the external link for more information.
Since v5.4, it is possible to use DTLS to address this problem. DTLS has the same security as SSL, but uses UDP instead of TCP. This can improve performance drastically.
Useful link: FortiClient helpful article for VPN options
Occasionally, SSL VPN performance can be slower than expected. Since the SSL VPN encapsulates a TCP connection within another TCP connection, this can cause interference between timeouts, and other issues. See the external link for more information.
Since v5.4, it is possible to use DTLS to address this problem. DTLS has the same security as SSL, but uses UDP instead of TCP. This can improve performance drastically.
Useful link: FortiClient helpful article for VPN options
Scope
FortiGate.
Solution
To enable DTLS on SSL VPN, run the following commands:
config vpn ssl settings
set dtls-tunnel enable
end
This has been enabled by default since 5.4.
If the user(s) are still using TCP, check FortiClient settings to ensure that the option 'Preferred DTLS Tunnel' is checked in the settings. If the option is greyed out, select the padlock on the top right to unlock it (Screenshot below). See the following FortiClient article for more information: VPN options
When FortiClients are managed by EMS, the DTLS option cannot be enabled directly on the FortiClient console. Changes need to be pushed by the administrator from EMS.
Verification steps to see if FortiClient is using DTLS:
- Check the Public IP of the PC connected with FortiClient and the SSL VPN Port.
get vpn ssl monitor
show full vpn ssl settings | grep "port "
Example:
- Perform a packet capture with the Public IP and SSL VPN Port. UDP packets should be seen:
diagnose sniffer packet any 'host <PC Public IP> and port <SSLVPN Port>' 4 10 l
Example:
Another option to improve performance is to disable NPU offload for the policy being used by SSL VPN. Be cautious when doing it as traffic will then be handled by CPU only which may cause high CPU usage if the policy usage is high :
config firewall policy
edit <SSLVPN policy ID>
set auto-asic offload disable
end
Note:
The DTLS option for all MAC-OS on the FortiClient is supported starting v7.2.2.: SSL VPN DTLS support for FortiClient (macOS) and (Linux) 7.2.2
Related article:
Technical Tip: How to enable DTLS option from EMS
Troubleshooting Tip: DTLS connection is not negotiated when connecting to FortiSASE with Windows PC
