Slow VPN connection over Charter Spectrum and Fortinet equipment

Two offices connected using site-2-site VPN on Fortigate 40C devices.  Both units were running flawlessly on Centurylink 6Mbps/768Kbps.  Once we changed over to Spectrum 100Mbps/7Mbps the VPN is 1/10 of the previous performance or worse!  The download speeds are excellent outside of the VPN on both sides.  Charter Spectrum has looked at both sides.  They claim everything is perfect.  The remote office only connects to a Terminal Server using RDP sessions.  If I connect outside of the VPN it is amazing!  However the added security of the VPN is a must.  So this was done as a trial and not acceptable.  Fortinet has been working on this for months and continues to blame Charter.  Over the VPN, the RDP sessions are very slow.  If you attempt to copy a 200MB file over the VPN it will never get past calculating.  If you attempt to copy a 2MB file it may or may not get there.  I have recreated the VPN tunnel and had Fortinet verify things.

Here is what Fortinet says:
The TCP Retransmissions occur when the transmitting server does not receive TCP-ACK from the receiving end. Some possible causes of not receiving TCP-ACK are:

This might be due to bad cabling/interface or duplex mismatch on ISP.

I agree this does sound like a duplex mismatch type end result, but is it possible Charter doesn't know what they have?
Jason JohanknechtIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
... is it possible Charter doesn't know what they have?

I am going to offer an opinion here, which should be considered such ...

It's not only possible, it's nearly a certainty.  I live in a Charter single-source service area.  Since they have a captive market, their tech support is (a) outsourced and (b) absolutely helpless when it comes to anything other than cycling the power and checking the cable connection.

But here's the rub.  Even if you put a network sniffer on the network between the Charter modem and the Fortinet server, and prove it's a Charter issue, their response is likely to be "It works great for everybody else in town, because they can all get to AOL and Hulu.  Therefore it's your equipment, which is non-standard."
Jason JohanknechtIT ManagerAuthor Commented:
Working with Charter currently to see if they can find anything else.  They confirmed the firmware of the cable modems is set to full duplex (Not auto negotiate).
Jason JohanknechtIT ManagerAuthor Commented:
Now they are saying it is auto negotiate and will check on the duplex.
Ensure Business Longevity with As-A-Service

Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.

Jason JohanknechtIT ManagerAuthor Commented:
They are sure everything is Full Duplex.  They claim to not block any packets.  I do have other clients that use Checkpoint VPN, but no site-to-site.  The software client works great with Checkpoint.  They both use IPSEC.  Anyone have any other ideas?  I don't think Charter is even trying to resolve this issue.
Jason JohanknechtIT ManagerAuthor Commented:
Charter finished their testing and found that Hi-Trens (I think it is the brand), was extremely poor at handling IPSEC packets.  They are going to try another modem at both locations.  They will be installed by Charter on Feb 28th, so I won't have another update for some time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason JohanknechtIT ManagerAuthor Commented:
Charter finally replaced the modems with Ubee brand, and the VPN works for the first time!  Hard to believe  a modern day cable modem cannot handle IPSEC packets.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.