Hot!FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow!

Author
thrillseeker
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/24 08:39:28
  • Status: offline
2017/10/12 15:13:29 (permalink)
0

FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow!

Hi all,
 
We are managing multiple customer devices on remote sites via a dedicated mgmt ipsec S2S vpn (P1/P2 Shared-Secret, IKEv2, AES-256, SHA384, DH20, DPD enabled). The hub devices for this mgmt vpn is a FG-600D running FOS 5.4.4 and the spokes are FGT-60E's and FGT-100E's also running FOS 5.4.4.
The mgmt access via ipsec tunnel is on a dedicated mgmt loopback interface. When I try to access the FGT webui via ipsec vpn to the loopback interface it takes up to 10 seconds until the login window appears. We are managing multiple devices like this for the same customer and all devices have more or less the same delay until we are able to do a https login to the FGT. The funny thing is that after login the delay is not recognized anymore. When connecting over SSH we do not have any delay. Could that probably be a ipsec fragmentation issue? 
 
When connecting directly from the internet on wan1 without ipsec (using local-in policies) then we will have no delay and the webui login form loads quickly.
 
Any ideas or suggestions?
Thanks a lot for feedback
Thrillseeker
#1

4 Replies Related Threads

    thrillseeker
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/24 08:39:28
    • Status: offline
    Re: FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow! 2017/10/15 11:44:21 (permalink)
    0
    Nobody has an idea?
    Thanks for any hints...
    thx, Thrillseeker
    #2
    tanr
    Gold Member
    • Total Posts : 384
    • Scores: 12
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow! 2017/10/15 12:42:58 (permalink)
    0
    I'm doing something similar, with management over IPSEC VPN, FGT's with 5.4.5 on each end.  I haven't noticed anything like the delay you describe.  
     
    I'm not using a dedicated loopback interface for management.  Regarding the fragmentation, I've got the mtu adjusted for the VPN, but I don't recall seeing a slow-down before I changed the mtu.
     
    Questions.
    1. Theses are interface VPN's, not policy VPN's?
    2. For your phase1-interface config, do you have npu-offload enabled or disabled?  There had been some issues with npu offloading in previous versions, see https://forum.fortinet.com/tm.aspx?m=138192&fp=5 for a discussion of it.
    3. Don't suppose you upgraded the firewalls to a new version recently?  The couple times I've had horrible GUI perf (and other weirdness) were when I hadn't flushed the browser cache after an upgrade.
     
     
     
     
     
    #3
    thrillseeker
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/24 08:39:28
    • Status: offline
    Re: FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow! 2017/10/25 15:14:46 (permalink)
    0
    Hi Tanr,
     
    Thanks for your answer.
    Regarding your questions:
    1. All route based VPN's not policy based
    2. All default so I think NPU offloading will be active
    3. No, we did a fresh install with 5.4.4 for all devices
     
    As I wrote, the latency is only when connecting via VPN. Directly to WAN (https) ist fine.
     
    Any other ideas?
    Thanks
    Lukas
    #4
    tanr
    Gold Member
    • Total Posts : 384
    • Scores: 12
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: FGT HTTPS Mgmt Access via IPSC VPN to Mgmt Loopback Interface is very slow! 2017/10/26 07:57:56 (permalink)
    0
    Sorry, don't have any other immediate ideas, except for trying it with your phase1-interface configs having npu-offload disable just in case.
     
    Beyond that, using the diag debug tools (http://cookbook.fortinet.com/ipsec-vpn-troubleshooting/) and just looking through the output.
     
    Sounds like a good candidate to open a support ticket with Fortinet. 
    Though I bet their first suggestion will be to update to 5.4.5 or 5.4.6.
    #5
    Jump to:
    © 2017 APG vNext Commercial Version 5.5