Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nwillia09
New Contributor

IPSEC VPN Tunnel Throughput Issue

I have a throughput issue over my IPSEC VPN tunnel between our 200d (5.2) and our 60E (5.6) firewalls.

 

Site A.

200D

150mbps Up/D

 

Site B.

60E

100mbps Up/D

 

I am having throughput issues when sending data from site A LAN only to Site B. A single transfer is only able to reach 10mbps. When running multiple transfers simultaneously, each transfer is able to reach the 10mbps until the 100mbps is reach. When transferring data from Site B to Site A a single transfer is able to fully saturate the 100mbps link as expected.  Transferring data from Site B to Site C (MPLS Network) which passes through the vpn tunnel at Site A is able to fully saturate the 100mbps as expected. There seams to be a problem only sending data from Site A. LAN interface to Site B.

 

At this point I am thinking its the software switch on the LAN interface causing some sort of issue that I cant explain. There are no bandwidth limiters or security features enabled on the VPN policies. The issue started when I had an ISP issue at Site A. Site A actually has two ISPs. During the outage I had temporarily setup the VPN over the secondary ISP which only had 10mbps upload speed. When changing the VPN to the 150mbps circuit the VPN did not regain the bandwidth as expected. Do I need to reboot the 200D firewall to drop the old VPN session or is this something else related to the software switch?

 

Any help would be appreciated before I start the long and grueling process of disabling the software switch.

2 REPLIES 2
Deepakkhw
New Contributor III

Please share VPN Configuration (CLI) with us.

 

Regards,

Deepak Kumar

nwillia09

The configuration is shown below. The IP addresses are fake/censored.

 

Site A   Phase 1   edit "S****-M*****"         set interface "wan2"         set comments "VPN: S****-M***** (Created by VPN wizard)"         set remote-gw ***.***.*.***         set psksecret ENC dmFyL2pt3NTmT2Iv97ct1yLwSs/wX0khwwjpya0NwEX55g6G04dMzodxXOX00U9suhMV7tNrquiU91UYyHgoJ/ArpUBymSZSKP1v2T4nPTzIgzZ5m9T2yjCysu+fmsiEd0i2xzDgP9yYAcyydAaPIyOgAfYSgpSRJqC1X7U4by38SnybVka2DYTM5NZZ71sCd6DKLQ== Phase 2     edit "S****-M****"         set phase1name "S****-M****"         set comments "VPN: S****-M**** (Created by VPN wizard)"         set src-subnet 17.0.1.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "S**"         set phase1name "S****-M****"         set comments "***"         set src-subnet 17.0.40.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "W***"         set phase1name "S****-M****"         set src-subnet 17.0.10.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "S***"         set phase1name "S****-M****"         set src-subnet 17.0.30.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "E**"         set phase1name "S****-M****"         set src-subnet 17.0.20.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "D**"         set phase1name "S****-M****"         set src-subnet 163.20.20.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0     next     edit "*** ***"         set phase1name "S****-M****"         set src-subnet ***.***.***.0 255.255.255.0         set dst-subnet 17.0.90.0 255.255.255.0    Firewall Policies  edit 63         set uuid 7b9fff58-23b1-51e8-bf5a-254475a40ab3         set srcintf "inside"         set dstintf "S****-M****"         set srcaddr "S****-M****_local"         set dstaddr "S****-M****_remote"         set action accept         set schedule "always"         set service "ALL"         set comments "VPN: S****-M**** (Created by VPN wizard)"     next     edit 64         set uuid 7ba60e0c-23b1-51e8-e4d1-2c46e7b465c4         set srcintf "S****-M****"         set dstintf "inside"         set srcaddr "S****-M****_remote"         set dstaddr "S****-M****_local"         set action accept         set schedule "always"         set service "ALL"         set comments "VPN: S****-M**** (Created by VPN wizard)"     edit 65         set uuid 40cc8d46-260a-51e8-6399-f595640778cd         set srcintf "S****-M****"         set dstintf "port16"         set srcaddr "M***** Lan"         set dstaddr "***-Networks"         set action accept         set schedule "always"         set service "ALL"     next     edit 66         set uuid f4b83b28-260c-51e8-51f7-c196a0836445         set srcintf "S****-M****"         set dstintf "***-VLAN-*"         set srcaddr "M***** Lan"         set dstaddr "****-LAN"         set action accept         set schedule "always"         set service "ALL"     next         edit 67         set uuid abd4520a-2c3a-51e8-5f79-db56613b25ac         set srcintf "S****-M****"         set dstintf "port**"         set srcaddr "M**** Lan"         set dstaddr "F****         set action accept         set schedule "always"         set service "HTTP" "HTTPS"     next     edit 68         set uuid 5ecb7f18-39d9-51e8-9506-72c05ab645b2         set srcintf "ssl.root"         set dstintf "S****-M****"         set srcaddr "SSLVPN_TUNNEL_ADDR1"         set dstaddr "M**** Lan"         set action accept         set schedule "always"         set service "ALL"         set groups "******"     next         edit 69         set uuid 26897634-3c0c-51e8-e40a-8735ea1bfb6b         set srcintf "port16"         set dstintf "S****-M****"         set srcaddr "***-Networks"         set dstaddr "M**** Lan"         set action accept         set schedule "always"         set service "ALL"     next     edit 70         set uuid 1f5aab78-3c1e-51e8-97ca-2e064cd86385         set srcintf "AT&T-VLAN-2"         set dstintf "S****-M****"         set srcaddr "****-LAN"         set dstaddr "M**** Lan"         set action accept         set schedule "always"         set service "ALL"     edit 71         set uuid befd666c-411d-51e8-477e-7e7af638dc38         set srcintf "S****-M****"         set dstintf "ssl.root"         set srcaddr "M***** Lan"         set dstaddr "SSLVPN_TUNNEL_ADDR1"         set action accept         set schedule "always"         set service "ALL" Route  edit 12         set dst 17.0.90.0 255.255.255.0         set device "S****-M****"         set comment "VPN: S****-M**** (Created by VPN wizard)"

 

Site B Phase 1 config vpn ipsec phase1-interface     edit "S****-M****"         set interface "wan1"         set peertype any         set comments "VPN: S****-M**** (Created by VPN wizard)"         set remote-gw **.**.**.***         set psksecret ENC 7FeC103ZAtu6Rb0MJ6OzBwvlpNDM72qn0xK6nA3UfgaCBXOT4rmw0m                            chkeDgt2X+l7xh6lQWqrQNi3ije6PBojf8v36FENvGDiXg3euX5VenquyiFnE26ivI1PrRDkrhpqed6E                            DiNv1g0cvbrGgTPC0ubVSEShPJl5NkCoP8Q3NksCOQTomM1de1DjQxMl3jhjDj1Q==

 

Phase 2 config vpn ipsec phase2-interface     edit "S****-M****"         set phase1name "S****-M****"         set comments "VPN: S****-M**** (Created by VPN wizard)"         set src-addr-type name         set dst-addr-type name         set src-name "S****-M****_local"         set dst-name "S****-M****_remote"     next     edit "***"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet 17.0.40.0 255.255.255.0     next     edit "E**"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet 17.0.20.0 255.255.255.0     next     edit "S**"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet 17.0.30.0 255.255.255.0     next     edit "W**"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet 17.0.10.0 255.255.255.0     next     edit "D**"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet 172.17.50.0 255.255.255.0     next     edit "*** ***"         set phase1name "S****-M****"         set src-subnet 17.0.90.0 255.255.255.0         set dst-subnet ***.***.***.0 255.255.255.0     next     edit "F******-M*****"         set phase1name "S****-M****"         set src-subnet *17.0.90.0 255.255.255.0         set dst-subnet 17.0.60.0 255.255.255.0     next Firewall Polices   edit 3         set name "vpn_S****-M****_local"         set uuid 0b95c026-23b1-51e8-352d-eb22415d08a4         set srcintf "internal1"         set dstintf "S****-M****"         set srcaddr "S****-M****_local"         set dstaddr "S****-M****_remote"         set action accept         set schedule "always"         set service "ALL"         set comments "VPN: S****-M**** (Created by VPN wizard)"     next     edit 4         set name "vpn_S****-M****_remote"         set uuid 0b9c31ea-23b1-51e8-704c-5ea1bd20080c         set srcintf "S****-M****"         set dstintf "internal1"         set srcaddr "S****-M****_remote"         set dstaddr "S****-M****_local"         set action accept         set schedule "always"         set service "ALL"         set comments "VPN: S****-M**** (Created by VPN wizard)"     next     edit 6         set name "Remote Office VPN Access"         set uuid 28f61d44-260b-51e8-1d76-dc0f44548213         set srcintf "internal1"         set dstintf "S****-M****"         set srcaddr "Localnet"         set dstaddr "S****-M****_remote_subnet_5" "S****-M****_remote_subnet_2" "S****-M****_remote_subnet_3" "S****-M****_remote_subnet_4" "S****-M****_remote_subnet_6" "S****-M****_remote_subnet_9" "S****-M****_remote_subnet_8"         set action accept         set schedule "always"         set service "ALL"     next     edit 7         set name "Remote VPN Return"         set uuid c0595ebe-3c0c-51e8-1b34-958c36d0f538         set srcintf "S****-M****"         set dstintf "internal1"         set srcaddr "S****-M****_remote_subnet_2" "S****-M****_remote_subnet_3" "S****-M****_remote_subnet_4" "S****-M****_remote_subnet_5" "S****-M****_remote_subnet_6" "S****-M****_remote_subnet_9" "S****-M****_remote_subnet_8"         set dstaddr "Localnet"         set action accept         set schedule "always"         set service "ALL" Routes     edit 2         set device "S****-M****"         set comment "VPN: S****-M**** (Created by VPN wizard)"         set dstaddr "S****-M****_remote"     next     edit 3         set distance 254         set comment "VPN: S****-M**** (Created by VPN wizard)"         set blackhole enable         set dstaddr "S****-M****_remote"     next     edit 4         set dst 17.0.40.0 255.255.255.0         set device "S****-M****"     next     edit 5         set dst 17.0.30.0 255.255.255.0         set device "S****-M****"     next     edit 6         set dst 17.0.20.0 255.255.255.0         set device "S****-M****"     next     edit 7         set dst 17.0.10.0 255.255.255.0         set device "S****-M****"     next     edit 8         set dst ***.**.**.0 255.255.255.0         set device "S****-M****"     next     edit 9         set dst ***.***.***.0 255.255.255.0         set device "S****-M****"     next     edit 10         set dst 17.0.60.0 255.255.255.0         set device "S****-M****"     next