Throughput problem with FGT 60D and PPPoE connection
The unit is set up with FortiOS 5.2.2 and has the wan1 port connected to the ISP with PPPoE (1Gb subscription).
If I connect the laptop or computer directly with PPPoE to the ISP I get ~800 Mb throughput (tested with speedtest, ISP's own speedtest and torrents). When I connect the Fortigate unit the throughput is capped at ~190 Mb (~140 with 5.2.5) and the unit stops responding (CPU 100%).
I tried the following configurations:
- internal lan in switch mode or in interface mode (hardware switch)
- tried with firmwares 5.0.10 and 5.2.1
The MTU for the PPPoE is 1492 so I also tried with mtu-overrride 1492 and still the same
The unit behaves the same in every situation high cpu and capped througput.
All the UTM features are turned off. All the tests are done with the basic configuration, just a policy from internal to wan1..
Also another strange thing is that when I test with the download limited ~100Mb so that the unit doesn't completely freeze I can see from the top command that the CPU is 50% hogged by the system, however there is no process in the list with that high of a load (if you add all the processes they add up to max 10%).
Any ideas would be greatly appreciated ..
I also noticed that the traffic is not going through the NP4Lite so I guess the 'Supports firewall acceleration across all packet sizes for maximum throughput' on the FGT 60D spec sheet on Fortinet website might be false advertising.
Update: There is no way that I found for a 60D to reach gigabit speeds on PPPoE connection. Max throughput is 140 Mb.
A workaround is to have another router in front of the 60D to do the PPPoe connection ( i got a Ubiquiti Edgemax Lite router for 100E that works amazing)
I had the same issue with the 60d and gigabit internet with PPPOE. I never found a good solution, so I decided to upgrade. After weighing my options, sticking with an upgraded Fortigate seemed like the best bet (as opposed to going with a PFSense box, which would probably have been at least as expensive, or a Ubiquity EdgeRouter). My only question was would the 60e be able to handle the traffic.
I ended up going with the 80e for the extra ports, but the 60e should perform similarly. And yes, this device can more than handle PPPOE encapsulation and hit gigabit speeds without coming close to maxing out.
Hope that helps anyone considering an upgrade but not wanting to because they don't know if it will solve their bottleneck.
I'm suspecting the Fortigate's "WAN" interface may be is set for 100 Full duplex; as Radu indicated performing a "diag hardware deviceinfo nic <interface name>" on the CLI will show you what speed the "WAN" interface is set at and whether there are any errors. Also, it may be rare, but the MTU could be actually smaller, like 1452 or less.
You can try forcing the duplex/speed to 1000 full duplex, like so...
config system interface edit "<interface>" set speed 1000full next end
100% CPU usage doesn't sound normal. Do you have any of the interface ports in a software switch? I don't have access to a 60D, but from pics of it, it kinda looks like ports 1 through 5 is the internal switch interface and port 6/7 are "stand alones". Or is all 1-7 ports all part of the same interface?
Edit: CPU usage may be due to the interface "flapping" (wrong duplex/speed set on WAN interface). But one other thing you should try (if all possible) is to login/check the modem/gateway's own logs while the Fortigate is connected to it.
Dave, the connection is a fiber directly into the ISP's router which is a Huawei and from that a gigabit link to the FGT. I don't have the VPI/VCI information but it seems that is specific to DSL connections.
The auto-asic-offload option is enabled in the policy configuration but even if it is enabled there it may not work. As stated in the hardware acceleration booklet from Fortinet there are several reasons why it may not work but I didn't identify any of those in my situation.
I have the exact same problem with the same equipment FGT60D (fw 5.2.2) and my French fiber ISP Orange.
With the router given by my ISP I get 480mbit/s in download and 190mbit/s in upload. With the 60D in pppoe I have 180mbit/s in download max and the administration interface gets completely frozen while I'm hitting this throughput (both web and console).
I'm consulting in Africa with a Orange provider, what I would do is look at the mtu again and then work with the ISP on any PPPoE counters and concentrate on looking for errors related to PPPoE. I believe you should be looking at a mtu setting of "1432" and not "1492". You can look at this with wireshark if your bored.
Now on to other issues and things to considered;
1: have you ran iperf/jperf testing between a local machine and the provider ( hopefully they have a local iperf server )
2: can you request this and run both udp and tcp tests and see the differences with these two layer4 protocols
3: When you used the computer, what was the MTU interface setting
4: can you downgrade the unit to an older code
5: you mention a direct fiber so that means something is used between you and the huawei Edge that gives you copper , can you clarify that
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.