- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSEC throughput limited?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC throughput limited?
We are having some throughput problems between two Fortinet devices.
We have a 100D connected to a 60E over an IPSEC tunnel. The traffic seems to stagger around ~200Mbps even though we have a direct Gbps fiber connection.
Somewhere, it feels like a limitation of sorts. Any setting that could give this behaviour, or could it be that the 100D is simply too old for these speeds?
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vpn imply an overhead over the "pure" speed of a link. It is normal that a device cannot do a full link speed over vpn channel.
to do a full speed vpn connection you need specific processor/device (more expensive that a 100D)
hope this helps.
ps. you can see your vpn limit on the forti 100D docs. (consider even the other traffic that pass through the wan you are using...the "tube" is the same and it is shared)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for example a 110C have a 100Mbit limitation over vpn.
a 100D is granted for 300Mbit over ipsec vpn but you have to consider the slowest link, in this case the 60E that is granted for 150Mbit. You are lucky because you are slightly over performance.
my best
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure where you got those values, but in the datasheet these are listed:
FortiGate 60E: IPsec VPN Throughput (512 byte) - 2 Gbps
FortiGate 100D: IPsec VPN Throughput (512 byte) - 380 Mbps
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1- for testing, reduce the IPsec parameters to AES128 and SHA1
these are guaranteed to be handled in hardware (SHA384 for ex. is not)
2- no UTM whatsoever in the tunnel policy (as this will involve the CPU)
This should give you fully accelerated IPsec. The weak link is the 100D. Consider buying a second 60E and finance it through the reduced service contract costs.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
heisenberg wrote:Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance
Well, I need to figure out what might be the cause and make actions against it :) 380 is almost double the speed is absolutely a better number.
I see that both 100D and 60E has 200 Mbps "Threat Protection Throughput", but how do I verify if that is enabled or not?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration.
Sorry I wasn't clear enough about it. The connection is a leased fiber connection, going straight from one firewall to the other, not over the internet, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then why do you need a VPN over a point-to-point dedicated/private circuit?
Related Posts
- Identify the CPU that is handling... 239 Views
- VLAN routing on a Fortigate 101F 188 Views
- fortigate datasheet IPsec VPN Throughput Detailed... 293 Views
- Forticlient: Debug IPSEC 280 Views
- IPsec VPN tunnel bandwidth consumption user... 522 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.