Fortigate VPN Network Performance

Hello Guys,

I have network performance issue on my Fortigate 300A, I have 3 VPN Connections connected in 3 Different ways and having all different results.

We have 25 Mbps of bandwidth.

1) VPN Connected to Fortigate 60D which have 1 Mbps of connection getting copying speed at 1 Mbps which is satisfied.
2) VPN Connected to Pfsense which have 10 Mbps of connection and getting copying speed only at 50 Kbps
3) VPN Connected to Fortigate 100A which have 512 Kbps of connection getting copying speed only at 2Kbps.

Can you please help to troubleshoot the issue.


Regards,
Murtaza
msretailitAsked:
Who is Participating?
 
msretailitConnect With a Mentor Author Commented:
Issue was with ISP
0
 
David AtkinTechnical DirectorCommented:
What is the speed of the connections at the other end of the VPN?
0
 
msretailitAuthor Commented:
I have mentioned the speeds also.

Please check
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
David AtkinTechnical DirectorCommented:
Is that the speeds both way or is that just download/upload?
0
 
msretailitAuthor Commented:
Yes Speed is same for download and upload

We  have 25 Mbps download and upload link on Fiber

1) Connection speed is 1 Mbps download and upload.
2) Connection speed is 10 Mbps download and upload.
3) Connection speed is 512 Kbps download and upload
0
 
JohnnyCanuckCommented:
Can you verify the connections by having them go to

http://www.speedtest.net/
0
 
msretailitAuthor Commented:
Yes its been as mentioned
0
 
David AtkinTechnical DirectorCommented:
Disabled Anti-Virus on the PC's to test the transfer speeds?

Do you have any bandwidth management on the routers?
0
 
msretailitAuthor Commented:
No Antivirus on that machines.

We have Fortigate 300A and i am not doing any bandwidth management on that.

I am trying to copy from same machine which have access to all 3 Remote Locations.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
I assume the lines at the remote sites are not under load when you did the performance tests ...
I also assume you do not have any speed limits configured on the  VPN connection.
Could this be an MTU-problem? Did you try running the sniffer to see whether you get any error packets? Are there any other CPE devices involved that might cause the low throughput? If there are any other devices, have you tried bypassing the firewall with a direct connection and measured throughput?
0
 
msretailitAuthor Commented:
I am still working on MTU problem, I have been told by FGT Support "MTU though the path is 1412 for the VPN. This is low. A better value is 1436 as you have for the other tunnels. Again, If the MTU stays at 1412, you are bound to experience the slowness because of the VPN fragmentation. This is expected. As discussed, the computers on either side of the tunnel will talk with an MTU of 1500, but, across the VPN tunnel the MTU is only 1412. So, there will be a bottleneck here. We can only work to get the best MTU possible on the VPN by contacting the ISP to give us a better route". But my ISP is too slow to support as FGT Support. I want to make sure from my FGT side that this is not problem from Firewall.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
The MTU mostly depends on the type of line ... e.g., if you have a DSL line, you already lose part of the 1500 MTU to the PPPoE/PPPoA overhead ...
Also, please note that when packets need to be fragmented, the device that notices this will send an ICMP packet to the sending side ... if this packet does not get through (e.g. by blocking all ICMP traffic), you will notice degradation due to timeouts on the packet transmission ... so the actual fragmentation usually isn't the problem, but the timeouts are ...
For a test, try to configure either two machines on either side of a VPN to e.g. 1400 bytes MTU, then do the transfer between them ... if everything goes as expected, the MTU through the tunnel is the definite cause ...
0
 
msretailitAuthor Commented:
I will setup that and get back to you.
0
 
msretailitAuthor Commented:
The issue was from ISP not related to Fortigate  VPN
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.