unstable/slow ipsec vpn connection

bashrael · ‎07-28-2017

Hi.

I have a FG 100D. It was on fortios 5.4.1 but fortinet support advised me to upgrade to the latest build 5.6.1

So 5.6.1 we are now.

I created a new forticlient ipsec test tunnel with the wizard. No UTM are aplied on the policies used.

This tunnel works but when I copy files over this tunnel the connection is slow and unstable.

I have a 250/30 internet connection but downloading a file from the file server at the remote location is very slow (5mbit).

So can anyone help me to solve this problem?

Toshi_Esumi · ‎07-28-2017

There is no silver bullet to pin-point this type of performance issue easily so I'll through out some things you need to consider when you troubleshoot like this.

[ul]

most often very poor performance/speed comes from ethernet duplex mismatch somewhere between the FW and the local device/PC/Server. Check it at all interfaces along the path, on both client and server end.

If no duplex mismatch all the way, the next thing you need to rule out is the internet path(s) between the client side and the server side the IPSec vpn goes through. Compare continuous pinging end-to-end through the tunnel and public-to-public between those FWs outside the tunnel, then trace-route from both ends toward the other end if you see some intermittent drops. It might explain "unstable" portion of the symptoms. Often packet drops happen at a hand-off between internet vendors, like comcast-to-Level3, centurylink-to-Cogent, and so on when they over aggregate traffic.

Along with the ping test above, run internet speedtests, like speedtest.net picking a closest test server on the opposite side, like if you're between Denver and Dallas, test at Denver by choosing speedtest.net's one of Dallas servers. If you can find your ISP at Dallas in the server list, that would be ideal.

Download speed at one end is decided by upload speed on the other end when you do end-to-end file transfer, which you're probably aware of. If the server location also has 250/30 circuit, the download speed never go beyond 30Mbps.

Lastly Windows TCP/IP protocol stack's window size comes in a factor if you're testing between windows machines. You might need to adjust them. You can find some articles if you google it. Ideally you want to test with something like iperf servers running on Linux machines, which provides an UDP test option.[/ul]

The bottom line is FortiGate's VPN itself is unlikely the cause. We dealt with many cases like yours for our customers. Most of them are the first one or the second issue. Good luck!

bashrael · ‎07-29-2017

hi thanks for all the suggestions.

I started with your remark 'The bottom line is FortiGate's VPN itself is unlikely the cause'

So i setup a simple ftp server, forwarded a port and tested the speed without vpn.

And the speed is the same as I get with vpn.

So it's no VPN issue.

It's also no SMB issue as I have the same result with FTP.

I also tested the speed to another server on the remote network. Same speed so it's no problem with the remote server I was testing with.

I tested the speed between those two servers on the remote network and I get 900mbit/sec so thats also not the problem. So it's also no issue with the duplex settings on this switch I guess? (the switch being the fortigate here for both servers)

The test site and remote site are only 10km away from each other and are with the same ISP. Speed tests on remote site 230/30, on the test site 200/30. I also tested from another site with a different ISP. same result.

No ping loss with vpn on or off.

thats what I got for now. The other suggestions I need to test.

But if anything I tested so far leads to other suggestions I am happy to hear them:)

tx!

bashrael · ‎07-30-2017

small update:

I checked the wan port and it's on auto negotiate with the current being 1000mbps full duplex.

ISP confirmed this is correct. When I had them on the phone I told them about my problem.

They noticed that I had some upstream loss and said this 'could' be whats causing my problem.

Tomorrow morning they send a technician to check the line.

updating this thread when I have more news.

bashrael · ‎07-31-2017

So the isp technician did some minor adjustments and it 's a bit better but far away from good.

I concentrated on DUPLEX mismatch.

So I got the Client, the FG wan1 port, a vlan interface (created on the internal) and the server.

Everything but the internal is FULL DUPLEX 1000mbps The internal is on HALF-DUPLEX. I missed that one because the test FTP VIP is from wan to vlan and those are both full duplex and the internal interface is showing 'PHY Link down'

internal interface is a hardware switch on this FG.

Should I reconfigure the internal interface and how do i do this?

some extra info:

show system interface internal config system interface edit "internal" set vdom "root" set ip 10.0.110.2 255.255.255.0 set vlanforward enable set type hard-switch set stp enable set fortiheartbeat enable set snmp-index 11 next end

show system interface internal VLAN10DATA config system interface edit "VLAN10DATA" set vdom "root" set ip 10.10.0.2 255.255.255.0 set role lan set snmp-index 12 set interface "internal" set vlanid 10 next end

show system interface wan1 config system interface edit "wan1" set vdom "root" set ip x.x.x.x 255.255.255.248 set vlanforward enable set type physical set weight 90 set snmp-index 1 next end

diagnose hardware deviceinfo nic internal Description Fortinet 100D Ethernet Driver System_Device_Name internal State up Link up PHY Link down Speed 0 Duplex half port: 0 def vid 4075 cur_vid 4075 netdev_running 1 stp: 0 mac_bypass 0 pci_rx 0 Rx_Packets 271120503 Tx_Packets 279265426 Rx_Bytes 269874146612 Tx_Bytes 283884223255

diagnose hardware deviceinfo nic wan1 Driver_Name e1000e Driver_Version 3.2.4.2-NAPI MAC_Type 3 IRQ 16 System_Device_Name wan1 State up

Link up Speed 1000 Duplex full

PHY_Media_Type 1 Autoneg 1 MTU_Size 1500 Max_Frame_Size 1522/9234

Interrupt_Mode MSI-X Interrupt_Throttle_Rate 20000 Rx_Descriter 256 Tx_Descriter 256

Statistics rx_packets 66349708 tx_packets 46453923 rx_bytes 49191573663 tx_bytes 38008075387 rx_broadcast 14884 tx_broadcast 22 rx_multicast 128883 tx_multicast 1 rx_errors 0 tx_errors 0 tx_dropped 0 multicast 128883 collisions 0 rx_length_errors 0 rx_over_errors 0 rx_crc_errors 0 rx_frame_errors 0 rx_no_buffer_count 17464 rx_missed_errors 6607 tx_aborted_errors 0 tx_carrier_errors 0 tx_fifo_errors 0 tx_heartbeat_errors 0 tx_window_errors 0 tx_abort_late_coll 0 tx_deferred_ok 0 tx_single_coll_ok 0 tx_multi_coll_ok 0 tx_timeout_count 0 tx_restart_queue 0 rx_long_length_errors 0 rx_short_length_errors 0 rx_align_errors 0 tx_tcp_seg_good 0 tx_tcp_seg_failed 0 rx_flow_control_xon 0 rx_flow_control_xoff 0 tx_flow_control_xon 0 tx_flow_control_xoff 0 rx_csum_offload_good 61971234 rx_csum_offload_errors 0 rx_header_split 0 alloc_rx_buff_failed 0 tx_smbus 0 rx_smbus 0 dropped_smbus 0 rx_dma_failed 0 tx_dma_failed 0 rx_hwtstamp_cleared 0 uncorr_ecc_errors 0 corr_ecc_errors 0 tx_hwtstamp_timeouts 0

MikePruett · ‎07-31-2017

What is the speed of the pipe (both download and upload) at each location?

Mike Pruett

Fortinet GURU | Fortinet Training Videos

bashrael · ‎08-01-2017

Speed test on remote site 230/30, on the test site 200/30

unstable/slow ipsec vpn connection

Nominate a Forum Post for Knowledge Article Creation