Hot!traffic flow over IPsec very slow

Author
elyes
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/10/07 12:08:00
  • Status: offline
2017/11/14 08:20:56 (permalink)
0

traffic flow over IPsec very slow

Hello,
I have a established a VPN between a 300D and a 60D. Users are facing slowness issues.
I have noticed a weird thing! the MTU of the VPN interface is 1446 (enc 3DES) but when I ping remote machines with  datasize of 1478 it fails first then it works (ping -f -l 1478  x.x.x.x)
For me, the value shouldn't be bigger than 1418 (as the ping has size of 28 bytes.
I also tried to set MSS on both policies (in/out) on both firewalls to avoid the latency but it didn't help.
 
Can you help on this topic?
Thanks
#1

10 Replies Related Threads

    elyes
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/10/07 12:08:00
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 06:23:35 (permalink)
    0
    any help? 
    #2
    Sebastiaan Koopmans
    Silver Member
    • Total Posts : 62
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/04/12 01:29:43
    • Location: Netherlands
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 06:52:52 (permalink)
    0
    Which firmware are you using in the Fortigates?

    FortiGate 300D HA 5.4.6
    FortiMail VM / 5.4.2
    FortiEMS / 1.2.2
    FortiSandbox VM / 2.5.0
    FortiAnalyser / 5.6.0
    FortiWeb / 5.8.5
    FortiClient / 5.6.2
    #3
    elyes
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/10/07 12:08:00
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 06:58:20 (permalink)
    0
    5.4.4
    #4
    Sebastiaan Koopmans
    Silver Member
    • Total Posts : 62
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/04/12 01:29:43
    • Location: Netherlands
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 07:00:26 (permalink)
    0
    We also facing almost same issues with slow vpn (ipsec and SSL) , what are the specs of the WAN connection? 100mbit+?

    FortiGate 300D HA 5.4.6
    FortiMail VM / 5.4.2
    FortiEMS / 1.2.2
    FortiSandbox VM / 2.5.0
    FortiAnalyser / 5.6.0
    FortiWeb / 5.8.5
    FortiClient / 5.6.2
    #5
    elyes
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/10/07 12:08:00
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 07:03:25 (permalink)
    0
    ~30mbits
    #6
    Sebastiaan Koopmans
    Silver Member
    • Total Posts : 62
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/04/12 01:29:43
    • Location: Netherlands
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 07:04:09 (permalink)
    0
    both sites are 30mbit?

    FortiGate 300D HA 5.4.6
    FortiMail VM / 5.4.2
    FortiEMS / 1.2.2
    FortiSandbox VM / 2.5.0
    FortiAnalyser / 5.6.0
    FortiWeb / 5.8.5
    FortiClient / 5.6.2
    #7
    elyes
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/10/07 12:08:00
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 07:20:32 (permalink)
    0
    yes. did you manage to solve your issues?
    #8
    Sebastiaan Koopmans
    Silver Member
    • Total Posts : 62
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/04/12 01:29:43
    • Location: Netherlands
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 07:24:28 (permalink)
    0
    No, in our case is has to do with an WAN line that is 100+ Mbit.
    That should be fixed in 5.6.x .
    In your case the first suggestion is to upgrade to 5.4.6 because there are some IPSec fixes in that release.

    FortiGate 300D HA 5.4.6
    FortiMail VM / 5.4.2
    FortiEMS / 1.2.2
    FortiSandbox VM / 2.5.0
    FortiAnalyser / 5.6.0
    FortiWeb / 5.8.5
    FortiClient / 5.6.2
    #9
    btp
    Bronze Member
    • Total Posts : 25
    • Scores: 1
    • Reward points: 0
    • Joined: 2007/09/26 02:02:57
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/20 12:08:54 (permalink)
    0
    We use a lot of FG60D on our own fiber (3-400 units). They should be able to push 5-700Mbps IF you don't bother it with things to process in CPU. That would be traffic shaping, priority, IPS, BFD etc.
     
    To see the MTU of the interface:
    # fnsysctl ifconfig IPSEC
    IPSEC   Link encap:Unknown
            UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1
            RX packets:173295762 errors:0 dropped:0 overruns:0 frame:0
            TX packets:194955503 errors:46 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:54308250008 (50.6 GB) TX bytes:19829754658 (18.5 GB)
     
    In this case, with 28B Ethernet header, you should get 1410B payload through without fragmentation:
     
    # execute ping-options df-bit yes
    # execute ping-options data-size 1410
    # execute ping 172.18.76.12
    PING 172.18.76.12 (172.18.76.12): 1410 data bytes
    1418 bytes from 172.18.76.12: icmp_seq=0 ttl=255 time=1.0 ms
     
    # execute ping-options data-size 1411
    # execute ping 172.18.76.12
    PING 172.18.76.12 (172.18.76.12): 1411 data bytes
    --- 172.18.76.12 ping statistics ---
    1 packets transmitted, 0 packets received, 100% packet loss
     
    You should also verify that the traffic is indeed offloaded to the NPU and that none of the parameters under SOFTWARE are >0;
     
    # diag vpn ipsec status
    (...)
    SOFTWARE:
            null:   0 0
            des:    0 0
            3des:   0 0
            aes:    0 0
            aria:   0 0
            seed:   0 0
            null:   0 0
            md5:    0 0
            sha1:   0 0
            sha256: 0 0
            sha384: 0 0
            sha512: 0 0
    post edited by btp - 2017/11/20 12:22:00
    #10
    elyes
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/10/07 12:08:00
    • Status: offline
    Re: traffic flow over IPsec very slow 2017/11/21 02:25:14 (permalink)
    0
    Thank you for the reply.
    The traffic is correctly offloaded.
    I noticed that the MTU is respected if I try to ping the 60D from the 300D but when the users tries to ping -f from a machine behind the 60D to a machine behind the 300D, ping -f -l 1472 works!!!!
    it fails the first time then it works.
     
    I even tried to set tcp-mss sender/receiver on both policies of both firewalls BUT it didn't help, ping 1472 still work.
     
    My last failed test was to disable npu offload.
    #11
    Jump to:
    © 2017 APG vNext Commercial Version 5.5