Site to site traffic flow over IPsec very slow

Author
Wabo84
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/04 05:50:58
  • Status: offline
2017/11/26 19:13:49 (permalink)
0

Site to site traffic flow over IPsec very slow

Fortigate 100D to 100E on fiber site A 150/150 to fiber  Site B 250/250.
 
I transfert from site B to site A on FTP 145mbits outside the VPN and 10 mbits on the same servers through the the vpn.
 
I have the same performance through vpnssl  from my home (10mbits)
 
On ftp from my home 145mbits on site A and 230 from site B
 
I reach almost the speed of the fibe outside the vpn
 
Cpu's work at 5-10 %
 
Same result with 5.4.4 and now 5.6.2....
 
Enabling or disabling DTLS change nothing
config vpn ssl settings
    set dtls-tunnel enable/disable
end
 
Ideas?
 
#1

6 Replies Related Threads

    Iescudero
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/01/21 13:34:23
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 07:06:24 (permalink)
    0
    Hi there!
    maybe a dumb question, but you have a traffic shaper or any UTM feature applied on any policies?
    The transfer protocol is always FTP?
    The IPSEC Tunnel is an interface mode tunnel?
     
    #2
    Wabo84
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/04 05:50:58
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 07:13:27 (permalink)
    0
    no raffic shaper no UTM
     
    All transnfert is slow... ftp, smb...
     
    yes interface, he last test we created with the vpn wizard both side...
    #3
    Iescudero
    Silver Member
    • Total Posts : 107
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/01/21 13:34:23
    • Location: Buenos Aires, Argentina
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 08:21:17 (permalink)
    0
    According datasheet, the IPSec VPNThoughput of each are:
    Fortigate 100D: 380 Mbps
    Fortigate 100E: 4 Gbps
    So, this should work fine.
     
    Can you disable the acceleration?
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/acceleration-overview.htm
     
    Maybe de SOC or the NPU are the issue.
     
    If this not solved the problem, you've got to do some troublehooting, like check error logs, discarded packets or debug vpn traffic to obtain more data.
     
     
    #4
    bommi
    Gold Member
    • Total Posts : 146
    • Scores: 12
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 09:34:43 (permalink)
    0
    Hi,
     
    last time I had really slow SMB traffic over ipsec using a 100D, the support told me to disable asic and hmac offloading for ipsec:
     
    config sys global
    set ipsec hmac disable
    set ipsec asic disable
    end
     
    This "fixed" it for me, the traffic is now 6 times faster than before.
     
    Regards
    bommi
    post edited by bommi - 2017/11/27 13:53:44
    #5
    tanr
    Platinum Member
    • Total Posts : 680
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 13:24:51 (permalink)
    0
    Hi bommi,
     
    In the example above, did you mean to have "set ipsec asic enable" or should it have been "disable"?
     
    Also, what FortiOS version were you on when turning these off increased your SMB traffic speed? 
    I'm in the middle of setting up automatic archives that will go over IPsec to an offsite 100D on 5.4.6 but haven't seen speed issues yet.
    #6
    bommi
    Gold Member
    • Total Posts : 146
    • Scores: 12
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: Site to site traffic flow over IPsec very slow 2017/11/27 13:53:16 (permalink)
    0
    Hi tanr,
     
    yes it should be "disable" for both values, I changed it in my post above.
    I had an extreme performance drop between an 100D and a 30E when using the asic for ipsec on the 100D.
    We observed this on 5.6.2.
     
    Regards
    bommi
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5