Solved

Fortigate VPN Network Performance

Posted on 2013-12-22
16
2,369 Views
Last Modified: 2014-02-23
Hello Guys,

I have network performance issue on my Fortigate 300A, I have 3 VPN Connections connected in 3 Different ways and having all different results.

We have 25 Mbps of bandwidth.

1) VPN Connected to Fortigate 60D which have 1 Mbps of connection getting copying speed at 1 Mbps which is satisfied.
2) VPN Connected to Pfsense which have 10 Mbps of connection and getting copying speed only at 50 Kbps
3) VPN Connected to Fortigate 100A which have 512 Kbps of connection getting copying speed only at 2Kbps.

Can you please help to troubleshoot the issue.


Regards,
Murtaza
0
Comment
Question by:msretailit
  • 8
  • 3
  • 2
  • +1
16 Comments
 
LVL 22

Expert Comment

by:David Atkin
ID: 39735801
What is the speed of the connections at the other end of the VPN?
0
 

Author Comment

by:msretailit
ID: 39735817
I have mentioned the speeds also.

Please check
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39735822
Is that the speeds both way or is that just download/upload?
0
 

Author Comment

by:msretailit
ID: 39735828
Yes Speed is same for download and upload

We  have 25 Mbps download and upload link on Fiber

1) Connection speed is 1 Mbps download and upload.
2) Connection speed is 10 Mbps download and upload.
3) Connection speed is 512 Kbps download and upload
0
 
LVL 14

Expert Comment

by:JohnnyCanuck
ID: 39735914
Can you verify the connections by having them go to

http://www.speedtest.net/
0
 

Author Comment

by:msretailit
ID: 39735952
Yes its been as mentioned
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39735961
Disabled Anti-Virus on the PC's to test the transfer speeds?

Do you have any bandwidth management on the routers?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:msretailit
ID: 39735971
No Antivirus on that machines.

We have Fortigate 300A and i am not doing any bandwidth management on that.

I am trying to copy from same machine which have access to all 3 Remote Locations.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39751156
I assume the lines at the remote sites are not under load when you did the performance tests ...
I also assume you do not have any speed limits configured on the  VPN connection.
Could this be an MTU-problem? Did you try running the sniffer to see whether you get any error packets? Are there any other CPE devices involved that might cause the low throughput? If there are any other devices, have you tried bypassing the firewall with a direct connection and measured throughput?
0
 

Author Comment

by:msretailit
ID: 39751163
I am still working on MTU problem, I have been told by FGT Support "MTU though the path is 1412 for the VPN. This is low. A better value is 1436 as you have for the other tunnels. Again, If the MTU stays at 1412, you are bound to experience the slowness because of the VPN fragmentation. This is expected. As discussed, the computers on either side of the tunnel will talk with an MTU of 1500, but, across the VPN tunnel the MTU is only 1412. So, there will be a bottleneck here. We can only work to get the best MTU possible on the VPN by contacting the ISP to give us a better route". But my ISP is too slow to support as FGT Support. I want to make sure from my FGT side that this is not problem from Firewall.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39751177
The MTU mostly depends on the type of line ... e.g., if you have a DSL line, you already lose part of the 1500 MTU to the PPPoE/PPPoA overhead ...
Also, please note that when packets need to be fragmented, the device that notices this will send an ICMP packet to the sending side ... if this packet does not get through (e.g. by blocking all ICMP traffic), you will notice degradation due to timeouts on the packet transmission ... so the actual fragmentation usually isn't the problem, but the timeouts are ...
For a test, try to configure either two machines on either side of a VPN to e.g. 1400 bytes MTU, then do the transfer between them ... if everything goes as expected, the MTU through the tunnel is the definite cause ...
0
 

Author Comment

by:msretailit
ID: 39751195
I will setup that and get back to you.
0
 

Accepted Solution

by:
msretailit earned 0 total points
ID: 39869618
Issue was with ISP
0
 

Author Closing Comment

by:msretailit
ID: 39880359
The issue was from ISP not related to Fortigate  VPN
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now