Slow SMB over WAN?

mobot used Ask the Experts™
If you need additional info please let me know. Thanks for taking a look at our post.

The problem slow SMB over WAN. Latency avg 27ms  Wiresharks shows the Windows Size is small 8012 for SMB traffic.  Bandwidth 100 MBPS both up and down.  Speed out to the Internet is great both up and down.

Site to Site VPN setup between two Fortigates.  

Copying and opening files between the two sites is slow.  Branch Office has a mix of Win7 and Win10 on the Desktops.  Fileserver is running Win2016.  I have three remote sites with the same problem.  Wireshark tells us we're running SMB 2.0.  

I'm asking for suggestions to increase the file transfer speed over the WAN.  

Fortinet's TAC Level 3 has checked and double checked the Fortigates for misconfiguration errors.  
We have  done things like reduce the MTU size on the Fortigates.  Ran continuous pings on both the private and public interfaces looking for dropped packets.
Checked for mismatched duplexing.  Updated the Fortigates Firmware, Attached laptops directly to the Fortigates and copied files between them, ran Iperf both TCP and UDP between them, etc, etc.

We've read document after document on slow SMB over WAN.  Performance tuning for SMB. -
We've added the registry key for SizReqBuf, and set it to ffff.
Windows Size Scaling is mentioned.  This link mentions Windows Scaling is enabled by default in all recent implementations.

How to fix TCP windowing
The TCP window size is controlled by the end devices, not by the routers, switches, or firewalls that happen to be in the middle. The devices actively and dynamically negotiate the window size throughout the session.
But as I mentioned earlier, the TCP mechanism was designed for network bandwidth that’s orders of magnitude slower than what we have today. So some implementations still enforce a maximum window size of 64KB. You can get around this by enabling windows scaling, which allows windows of up to 1GB.
Windows scaling was introduced in RFC 1323 to solve the problem of TCP windowing on fast, reliable networks. It’s available as an option in any modern TCP implementation. The only question is whether it’s been enabled properly.
In all recent Microsoft Windows implementations, windows scaling is enabled by default. You ‘ll find places on the Internet telling you to change registry values to increase your window size, but depending on the Windows version you’re using, these changes will have no effect. The values may no longer even exist. Bottom line, you don’t need to fix TCP windowing in Windows, either clients or servers.

A few links we've read.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

We have  done things like reduce the MTU size on the Fortigates.

This can only make things worse.  The Fortigates should be set to the standard MTU size of 1500.  Reducing MTU size causes packet fragmentation.  Time is lost sending multiple packets where one would do and the reverse is also true; time can be lost reassembling multiple packets into one.

Bandwidth 100 MBPS both up and down.

LAN speed or WAN speed?  LAN speed machts nicht when the packets go onto the internet where they are at the mercy of your ISP and network weather.  Packets can't go onto the WAN faster than WAN speed, and contrariwise packets can't come off the WAN faster than WAN speed.  100 Mbps would be pretty fast for a WAN connection.

What are the speeds you're observing?
Senior Managed Services Specialist
Whenever I've had issues like this I've always disabled all the unneeded features packed on to the NIC driver.  

IPv4 Checksum Offload – set to Disable
Large Send Offload V2 (IPv4) – set to Disable
Large Send Offload V2 (IPv6) – set to Disable
Receive Side Scaling – set to Disable
Recv Segment Coalescing (IPv4) – set to Disable
Recv Segment Coalescing (IPv6) – set to Disable

TCP Checksum Offload (IPv4) – set to Disable
TCP Checksum Offload (IPv6) – set to Disable
UPD Checksum Offload (IPv4) – set to Disable
UDP Checksum Offload (IPv4) – set to Disable

The Receive Side Scaling and Recv Segment Coalescing make the biggest difference, in my experience.  It can't hurt to try...
John TsioumprisSoftware & Systems Engineer

If you want to test the whole setup..the easiest method should be to bypass just about everything and connect a laptop on each router ( I mean the router that connects directly to the Internet)...setup a FTP server/Client ....Filezilla (?) and then test the connection by in turn assigning one laptop as the Server and the other as the client...just send some files and observe speed and latency (i reckon that you have good Internet connection because here in poor Greece my lowest was 50 its around 90-100ms and it can go up to 300+) ...write down the numbers and compare them to your current setup...
If you get a match then your setup is good...if not you need to check by moving in reverse...the laptop instead of the router connects a level up...(e.g router --> firewall --> switch ...)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nociSoftware Engineer
Distinguished Expert 2018

In stead of FTP use something like netio or iperf3 for assessing network speeds that cuts the disk bandwidth from the network equation.


I don't mean to sound repetitive, regarding Fortinet, we did what they asked us to do.

@Dr. Klahn - Reducing MTU was suggested by a Fortinet.  We have average speed of 355 KBPS transferring files using SMB.

@WiReDWolf - The Windows 2016 file server is a VMWare guest.  Can you edit those settings on the NIC for just that VMWare guest?

@John Tsioumpris - We're confident that the circuit between the two points is good.  We have reached out to the ISP's and asked them to check it out.  We also have access to a Dashboard the ISP provides to monitor a number of things such as bandwidth and network interface utilization. We have attached a laptop to the ISP router and ran speed tests out to the Internet.  We have not attached a laptop on each end as you suggest.  We have attached a laptop directly into the Firewalls and transferred files between them.  We used Wireshark to capture the packet flow.  We've also used Fortinet's packet capture tool and saved the output to a file for Fortinet's engineers to review.

@noci - We have used Iperf3 to measure speed while having the laptops attached directly to the Fortigates.  We used Wireshark to capture the output to a file for review.  "NOCI" I'm not familiar with.  Iperf the best speeds we measured was around 5MBPS.  I need to go back and review my notes to be sure.  At the moment I'm working from memory. Also note at the branch office the upload speed is 20MBPS,  I've read that the max speed you can expect is based on what the upload speed is.

The thing that is the common denominator is the Window size we see in Wireshark.  For SMB traffic it's quite small.
Two questions: How is that Window size determined?  Is there a way to increase it for the SMB protocol?

Reading about SMB it seems the devices on each end (the workstation and the file server) determine the Window size when setting up the initial TCP\IP session.  Check me if I'm wrong on this point.
The Windows Sliding scale is used to increase the size.  And the Windows Sliding scale is enabled by default.  Check me on this point if I'm wrong.

Thank you all for your input.  I look forward to hearing back from you.
nociSoftware Engineer
Distinguished Expert 2018

You are correct. The upload speed is a limiting factor. So if you have a DSL 100/10 then 10Mbps is the upload speed. and would be the limit for that site to end data or the other side to receive data from here. (obviously the connection must be shared between several users).
The speed might also be limited by the capturing while measuring with iperf.

The windows size should be increased with no retransmits & lost packets. The window size should decrease when a lot of retransmits are needed. (it is the receiver buffer size and when the sender should expect an ACK).
Some explanation in this video:

Even if the windows size IS say 64K even then if a packet is sent of only 100 Bytes then those will be acked after a short while..
And please mind your units... m = milli, M = Mega, B = Bytes, b=bits   datacomm speeds are measured in bits per second (bps) for short.   MBPS != mbps as (1000000 BYTES per second != 0.001 bit per second)  about factor ~10 Billion  or 10 orders of magnitude in difference.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

To exclude fragmentation, you can use
mturoute -t target.ip.addr.ess

Open in new window

( on your laptop. It should show if fragmentation occurs, and at which hop.
If you see the MTU being decreased, e.g. because of the MTU change in the FortiGate, reduce the client MTU with
    netsh interface ipv4 set subinterface LAN mtu=1400 store=persistent

Open in new window

where LAN is the displayed name of the NIC, and MTU should be obvious. If fragmentation is an issue, setting the client MTU lower than the result of mturoute should increase performance significantly.
Jason ZondagSenior Managed Services Specialist

To answer the question asked of me about VMware guests - the answer is definitely.  Which VMware NIC driver are you using?  If using the Intel E1000 you really need to change that to the VMXNET3 driver.

I agree with noci as well - you keep saying MBPS as opposed to Mbps, which is a huge difference.  Let's make sure we're talking about the same thing.

Also, Site to SIte VPN can use different levels of encryption.  There is going to be a noticeable overhead regardless simply because the traffic is having to be encrypted/decrypted at each end.  Assuming you're using IPSEC, have you investigated which protocols will grant the greater speeds? 3DES vs AES for example?  

There appear to be a lot of variables here making it difficult to pin down exactly where you may have a speed issue.


@noci - I'll mind the units.  Does the Windows size scaling happen automatically?

@Qlemo - Thanks for the command.  I'll give it a go.

@WiReDWolf - We're using the VMXNET3 driver.  Thanks for the confirmation on configuring the nic's.  We are using IPSEC, and we've tried different encryption protocols.  We have not noted any major difference in the file transfer speeds.  3DES and SHA1 is what we started with, currently using AES256 and SHA256.  
We've been advised to open a ticket with MS about the Window size.  We're being told that if we can increase the size of the Window we'll get better throughput.

Thanks again.


@WiReDWolf - after disabling the unneeeded features on the nic.  Do you need to reboot to implement the new nic config?

Jason ZondagSenior Managed Services Specialist

No, not that I remember.  There is a brief network disruption while the driver resets.  That's about it.


Thank to all of you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial