Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Stefano_iso
New Contributor

slow vxlan speed over ipsec

Hi,

we have speed problem on vxlan over ipsec connection between FGT100F and FGT60F. The tunnel works fine and the traffic is ok but the speed of a simple test with iperf is about only 2MB/s. (both sites have 1Gb/s symmetrical IPS connection). Any suggestions?

Thanks

 

Stefano

15 REPLIES 15
Julien87
Contributor II

Hi Stéfano,

 

I did a recent layer 2 tunnel setup (ADVPN Less). I had to activate add the following configuration :

 

config system global

set honor-df disable

end

 

And add option in my phase1-interface Tunnel

set ip-fragmentation pre-encapsulation

 

 

I hope this will fix your problem as well.

 

Best regards,

 

 

 

Julien
Julien
Stefano_iso

Hi Julien,

thanks for your suggestions.

I tried with both of the solutions but the speed remains the same.

Any other suggestions?

Stefano

Julien87

Hi Stefano,

 

No, sorry, I don't have any other options. I have very little use of level 2 tunneling.

 

You have open a case with support?

 

 

Julien
Julien
Stefano_iso

Hi Julien,

yes i already have a ticket open but it is open from about 2 month and there isn't solution yet.

Seems there is something that limit the bandwidth on vpn because i tried with different providers and get similar values. maybe it could be a sdwan problem? or problem of "HA cluster" ?

 

Stefano

gfleming

Seems unlikely to be an SD-WAN issue or HA Cluster issue.


Have you done a packet capture on both sides? What does it look like? Any retransmissions, fragmentation? Can you post a snipped of what a capture looks like?

Cheers,
Graham
mikePancake130
New Contributor

Wondering if you ever got this resolved?   I have the same problem with IPsec + VXLAN on a combination of 40F, 81E, and virtual VM04.  Tried every combination, initially I thought it was an MTU size issue due to IPSEC + VXLAN overhead. But I am actually able to send ping with DF bit set at 1472 payload which is the correct value using 1500 byte max minus the 8 byte ICMP and 20 byte IP header.     

 

I have not been able to figure this out after 2 weeks of vxlan over ipsec full mesh testing between 4 different geographic locations about 12ms apart. So i doubt its the latency because to the Internet on these same firewalls to speedtest dot net, I am getting 900Mbps on a 1 Gbps Internet circuit.   

Also like you, my CPU is not an issue. The maximum it will reach for the CPU is approximately 30% (usually less on my VM04 ) and 8% CPU on my 40F firewall.   Both platforms hardware and virtual appliance transport will not exceed 60-70 Mbps when it has Internet circuits 1 Gbps.

 

Wondering if you ever figured it out?   I'm at a loss at the moment and so few people are doing this function so its difficult to find any expert references with experience.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors