Hot!IPSEC throughput limited?

Author
robinct
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/24 23:57:54
  • Status: offline
2018/01/10 02:41:13 (permalink)
0

IPSEC throughput limited?

We are having some throughput problems between two Fortinet devices.
 
We have a 100D connected to a 60E over an IPSEC tunnel. The traffic seems to stagger around ~200Mbps even though we have a direct Gbps fiber connection.
 
Somewhere, it feels like a limitation of sorts. Any setting that could give this behaviour, or could it be that the 100D is simply too old for these speeds?
#1

10 Replies Related Threads

    heisenberg
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/19 03:30:37
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 02:49:34 (permalink)
    0
    vpn imply an overhead over the "pure" speed of a link. It is normal that a device cannot do a full link speed over vpn channel.
    to do a full speed vpn connection you need specific processor/device (more expensive that a 100D)
     
    hope this helps.
     
    ps. you can see your vpn limit on the forti 100D docs. (consider even the other traffic that pass through the wan you are using...the "tube" is the same and it is shared)
    #2
    heisenberg
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/19 03:30:37
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 02:54:17 (permalink)
    0
    for example a 110C have a 100Mbit limitation over vpn.
    a 100D is granted for 300Mbit over ipsec vpn but you have to consider the slowest link, in this case the 60E that is granted for 150Mbit. You are lucky because you are slightly over performance.
     
    my best
     
    #3
    oheigl
    Gold Member
    • Total Posts : 259
    • Scores: 8
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 03:07:44 (permalink)
    0
    I'm not sure where you got those values, but in the datasheet these are listed:
    FortiGate 60E: IPsec VPN Throughput (512 byte) - 2 Gbps
    FortiGate 100D: IPsec VPN Throughput (512 byte) - 380 Mbps
    #4
    heisenberg
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/19 03:30:37
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 03:26:31 (permalink)
    0
    Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
    Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance
    #5
    ede_pfau
    Expert Member
    • Total Posts : 5564
    • Scores: 374
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 04:41:08 (permalink)
    0
    1- for testing, reduce the IPsec parameters to AES128 and SHA1
    these are guaranteed to be handled in hardware (SHA384 for ex. is not)
    2- no UTM whatsoever in the tunnel policy (as this will involve the CPU)
     
    This should give you fully accelerated IPsec. The weak link is the 100D. Consider buying a second 60E and finance it through the reduced service contract costs.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #6
    robinct
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/24 23:57:54
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 04:44:05 (permalink)
    0
    heisenberg
    Sorry, you are absolutely right I was reading the ssl vpn not the ipsec. (this can explain the slightly more throughput over 150Mbps that I wrote).
    Anyway you should go up to 380 because of the 100D....up to....as you use AES256-SHA256 and other condition over the firewall. May be 200Mbps seems not as lighting fast but, pheraps you should consider the load on the device or for example the geographic (routing) distance



    Well, I need to figure out what might be the cause and make actions against it :) 380 is almost double the speed is absolutely a better number.
     
    I see that both 100D and 60E has 200 Mbps "Threat Protection Throughput", but how do I verify if that is enabled or not?
    #7
    Toshi Esumi
    Expert Member
    • Total Posts : 888
    • Scores: 52
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 08:31:10 (permalink)
    0
    Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration. 
    #8
    robinct
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/24 23:57:54
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 11:33:34 (permalink)
    0
    toshiesumi
    Since it's not clear in the original post I wanted to point out one thing: VPN throughput is half dictated by the environment/connection between two end devices. If the test is not done with two devices side-by-side over a cable, you need to include that part into consideration. 



    Sorry I wasn't clear enough about it. The connection is a leased fiber connection, going straight from one firewall to the other, not over the internet, etc.
    #9
    Toshi Esumi
    Expert Member
    • Total Posts : 888
    • Scores: 52
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/10 13:26:22 (permalink)
    5 (1)
    Then why do you need a VPN over a point-to-point dedicated/private circuit?
    #10
    robinct
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/24 23:57:54
    • Status: offline
    Re: IPSEC throughput limited? 2018/01/12 04:08:05 (permalink)
    0
    toshiesumi
    Then why do you need a VPN over a point-to-point dedicated/private circuit?



    That wasn't my original question and might be a good discussion in another thread.
     
    I've read other threads on the subject and done some diagnostics, and it seems the 100D is the bottleneck. I thank you for your answers and we're going to have internal discussions how to proceed from this. The cheapest solutions is probably to add another 60E :)
    #11
    Jump to:
    © 2018 APG vNext Commercial Version 5.5