- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Very slow responses to anything internal when conn...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very slow responses to anything internal when connected to ssl vpn
Hey guys,
Please bear with me here, as I work way more with couple other vendors, though I would say Im fairly verse when it comes to Fortinet : - ). Anyway, here is the scenario. Customer purchased 2 brand new 200F firewalls and we have really odd problem and my colleague (who btw is real Fortigate guru) are having heck of a time trying to fix this problem. Essentially, even if single person is connected to ssl vpn, responses to anything internal are real slow and ping times can go up to 2000 seconds. We tried failover, no luck, disabled assic offload for ssl vpn rule, tested multiple barebone forticlient versions (no luck), enabled DTLS tunnel option, same issue.
Now, there are only maybe 6-7 security rules configured, so its super basic. We even have TAC case open for this for about a week, but since they cant replicate it, guy suggested to try reboot the current primary firewall. I have no clue if that will help, as it has been up for only 35 days, but it would need to be scheduled with the customer.
Also, maybe worth pointing out, ssl vpn rule does NOT have any security profiles configured at all.
This week, I attempted things from below posts, but same issue persists.
Troubleshooting Tip: ‘SSL-VPN slow file transfer ... - Fortinet Community
Solved: SSL VPN poor speed - Fortinet Community
Fortigate slow SSL VPN throughput : r/networking (reddit.com)
Current version is 7.2.5
Any help/suggestions are welcome and highly appreciated!
Thanks so much in advance.
Kind regards.
AB
AB
Labels:
- Labels:
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Andy,
if TAC cannot replicate it, can you replicate it in a lab to be able to further troubleshoot it without having to ask the customer for maintenance windows?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Danny,
Well, when I test this from my own work laptop or even my personal desktop, I have exact same issue.
Andy
AB
AB
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. So reboot your lab firewall that shows the same symptoms and you are able to reply to TAC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im not connected to lab firewall. What Im saying is when I connect to their ssl vpn from my work laptop using forti client, I have exact same issue.
AB
AB
Created on 10-18-2023 07:02 AM Edited on 10-18-2023 07:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I understand that. In order to avoid asking your customer for a maintenance schedule I recommend that you first try to replicate the issue on a lab FortiGate. That's what I do for our customers all the time.. trying to replicate the issue.. then fixing it in the lab.. after solution has been found.. inform the customer and perform the change in the customers' production environment.
Setting up a lab is free and easy. Just download a FortiGate VM issue of the same FortiOS version that is in use at your customers' producation environment. Import the and adjust the configuration and ready to test.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See, thats the issue, we cant replicate it in our lab either...
AB
AB
Created on 10-18-2023 07:07 AM Edited on 10-18-2023 07:09 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then I only see two options:
- ask the customer regarding the reboot as advised by TAC
- ask the customer to send you the standby appliance to be able to test with that one in your lab
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let us see if they approve the reboot, it might help.
AB
AB
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, sorry for the late reply, I see 2 ways - Short one and Long one, I'd start with the Short.
Short:
- Upgrade to 7.2.6, on 10th of October Fortinet released PSIRT alert on versions including 7.2.5 on password disclosure in SSL VPN https://www.fortiguard.com/psirt/FG-IR-23-120 so it would be a great "selling" point to the client. On the way it will do a reboot, and make sure you haven't stumbled on a hard-to-replicate bug in 7.2.5. In general, with FortiOS, the convention is to deem versions up to x.x.6 as QA releases. I've started deploying 7.2.6 and so far looks good.
Long:
- First: there is (almost) no configuration parameter that can cause such a problem intentionally, so it is not a misconfiguration (I guess you are using FortiClient in Tunnel mode, not Web mode proxying where slowness is not a bug but a feature?)
- Check health params on the FGT while experiencing the problem - CPU load, memory consumption.
- Check MTU inside the tunnel, as MTU misalignment may cause fragmentation/defrag deteriorating the connection (it is set automatically on FC connect).
- Try different protocols inside the tunnel - FTP/HTTP to see may be it is some specific protocol, like SMB is known to become very slow on VPNs, as opposed to FTP/HTTP.
- Look in logs for anything outstanding
- run a sniffer in the FGT to look for retransmits, damaged packets, low MSS for TCP packets.
- Run ping inside the tunnel and compare to the ping over the clear text to the FGTs WAN IP to see if this slowness shows in the very basic ICMP traffic as well.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Related Posts
- Can't ping VLAN interfaces through VPN 17 Views
- VLan fortigate 218 Views
- Help setting up internet access for... 172 Views
- ipv6 - internal lan interface cannot... 312 Views
- Connecting Two SIP Trunks with Different... 274 Views
Labels
-
FortiGate
6,532 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.