Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pabzab
New Contributor

GRE over IPSEC encryption performance issue

Dear community,

 

We have a x16 vCPUs FortiGate VM establishing a GRE tunnel over IPSEC with a Cisco device from a cloud provider.

Cloud Provider guarantee up to 10Gbit/s on each tunnel.

 

So, we tried 2 IPERF benchs :

 

When FortiGate decrypt with "set ipsec-soft-dec-async enable" option enabled we reach approx. 5 Gbit/s

 

When FortiGate encrypt, only one vCPU is used at 100% and we only reach 0.8Gbit/s

 

What could we do to distribute the load on multiple vCPU and reach 5Gbit/s ? Or even 10 Gbit/s ?

We tried FortiGate on both KVM and ESXI and the issue is the same.

 

Thanks

4 REPLIES 4
Faiza_Emam_Delhi
Contributor II

It's possible that the performance issue you are experiencing with GRE over IPSEC encryption is related to the FortiGate's hardware resources, specifically the CPU.

You mentioned that the FortiGate is a VM with 16 vCPUs, but it's possible that the hypervisor is not allocating the necessary CPU resources to the FortiGate VM. You may want to check the hypervisor's CPU allocation settings to ensure that the FortiGate VM has access to the required number of CPUs to handle the traffic.

Another potential issue could be related to the encryption algorithm and key size being used. If the FortiGate is using a high-strength encryption algorithm with a large key size, this could cause a significant increase in CPU usage and impact performance. You may want to try adjusting the encryption settings to use a weaker algorithm or smaller key size to see if this improves performance.

Additionally, you may want to check the FortiGate's IPSec settings to ensure that they are optimized for performance. For example, you can try enabling "IPSec offloading" to allow the FortiGate to offload some of the encryption processing to the network interface card (NIC).

Lastly, it may be helpful to contact Fortinet support to see if they can provide additional guidance or suggest any specific configuration changes that could improve performance for your specific use case.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
pabzab
New Contributor

Well then thanks for your answer.

About the NPU, are you sure that this not something restricted to physical appliance ?

I tried to activate on my VM but my tunnel stays with "npu_flag=00"

Faiza_Emam_Delhi

he NPU (Neural Processing Unit) is a hardware component that is typically found on physical devices, such as Huawei's Ascend series of processors. It is designed to accelerate the performance of machine learning and artificial intelligence applications.

If you are using a virtual machine, it is unlikely that you have access to a physical NPU, which could be why you are seeing the "npu_flag=00" message. However, there may be other ways to optimize the performance of machine learning applications on a virtual machine, such as using GPU acceleration.

If you need further assistance with this issue, I recommend looking into the documentation or support resources for the specific software or platform you are using.

Thanks & Regards,
Faizal Emam
Thanks & Regards,Faizal Emam
Yurisk
Valued Contributor

Not a solution, but may be worth reading - https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/kvm-administration-guide/801469/enh... 

Otherwise, I'd open a ticket with TAC for this, as I don't see any command that would distribute encryption between multiple CPUs. 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors