• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3341
  • Last Modified:

Fortigate VPN Network Performance

Hello Guys,

I have network performance issue on my Fortigate 300A, I have 3 VPN Connections connected in 3 Different ways and having all different results.

We have 25 Mbps of bandwidth.

1) VPN Connected to Fortigate 60D which have 1 Mbps of connection getting copying speed at 1 Mbps which is satisfied.
2) VPN Connected to Pfsense which have 10 Mbps of connection and getting copying speed only at 50 Kbps
3) VPN Connected to Fortigate 100A which have 512 Kbps of connection getting copying speed only at 2Kbps.

Can you please help to troubleshoot the issue.


Regards,
Murtaza
0
msretailit
Asked:
msretailit
  • 8
  • 3
  • 2
  • +1
1 Solution
 
David AtkinIT ProfessionalCommented:
What is the speed of the connections at the other end of the VPN?
0
 
msretailitAuthor Commented:
I have mentioned the speeds also.

Please check
0
 
David AtkinIT ProfessionalCommented:
Is that the speeds both way or is that just download/upload?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
msretailitAuthor Commented:
Yes Speed is same for download and upload

We  have 25 Mbps download and upload link on Fiber

1) Connection speed is 1 Mbps download and upload.
2) Connection speed is 10 Mbps download and upload.
3) Connection speed is 512 Kbps download and upload
0
 
JohnnyCanuckCommented:
Can you verify the connections by having them go to

http://www.speedtest.net/
0
 
msretailitAuthor Commented:
Yes its been as mentioned
0
 
David AtkinIT ProfessionalCommented:
Disabled Anti-Virus on the PC's to test the transfer speeds?

Do you have any bandwidth management on the routers?
0
 
msretailitAuthor Commented:
No Antivirus on that machines.

We have Fortigate 300A and i am not doing any bandwidth management on that.

I am trying to copy from same machine which have access to all 3 Remote Locations.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
I assume the lines at the remote sites are not under load when you did the performance tests ...
I also assume you do not have any speed limits configured on the  VPN connection.
Could this be an MTU-problem? Did you try running the sniffer to see whether you get any error packets? Are there any other CPE devices involved that might cause the low throughput? If there are any other devices, have you tried bypassing the firewall with a direct connection and measured throughput?
0
 
msretailitAuthor Commented:
I am still working on MTU problem, I have been told by FGT Support "MTU though the path is 1412 for the VPN. This is low. A better value is 1436 as you have for the other tunnels. Again, If the MTU stays at 1412, you are bound to experience the slowness because of the VPN fragmentation. This is expected. As discussed, the computers on either side of the tunnel will talk with an MTU of 1500, but, across the VPN tunnel the MTU is only 1412. So, there will be a bottleneck here. We can only work to get the best MTU possible on the VPN by contacting the ISP to give us a better route". But my ISP is too slow to support as FGT Support. I want to make sure from my FGT side that this is not problem from Firewall.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The MTU mostly depends on the type of line ... e.g., if you have a DSL line, you already lose part of the 1500 MTU to the PPPoE/PPPoA overhead ...
Also, please note that when packets need to be fragmented, the device that notices this will send an ICMP packet to the sending side ... if this packet does not get through (e.g. by blocking all ICMP traffic), you will notice degradation due to timeouts on the packet transmission ... so the actual fragmentation usually isn't the problem, but the timeouts are ...
For a test, try to configure either two machines on either side of a VPN to e.g. 1400 bytes MTU, then do the transfer between them ... if everything goes as expected, the MTU through the tunnel is the definite cause ...
0
 
msretailitAuthor Commented:
I will setup that and get back to you.
0
 
msretailitAuthor Commented:
Issue was with ISP
0
 
msretailitAuthor Commented:
The issue was from ISP not related to Fortigate  VPN
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 8
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now