- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Poor bandwidth to S2S Ipsec Azure
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Poor bandwidth to S2S Ipsec Azure
Hello,
I get really strange problem with my Azure tunnel on Fortigate 60E (FortiOS 5.6.8). I have configured tunnel according to this article:
https://cookbook.fortinet...pn-microsoft-azure-54/
I have set up tcp-mss sender and receiver for 1350. Tunnel is stable but performance from LAN Fortigate is very poor.
I performed iperf3 test and result is 3-5Mbit/s. Our ISP provide us 100/100Mbit/s.
The weirdest thing is when I beeing connected to fortigate in LAN, and set UP SSL-VPN connection (FortiClient SSL-VPN on the same Fortigate) so technically traffic go through ssl-vpn tunnel but all communication is closed to these Fortigate I get 30-35Mbit/s performance result. What I tried:
1) Set up new Azure tunnel - the same result
2) Delete tcp-mss sender/receiver function from IPv4 policies to Azure - same result
Someone got these problem? It looks like there is something wrong in LAN interface. MTU?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For a bandwith issue over IPsec vpn, there are many things you need to eliminate one-by-on.
As a start I would suggest one thing to test: adjust mtu size on the physical interface on the FGT that this tunnel is going out of. I don't know if it's possible on Azure side, but try the same on that side as well. The tcp-mss adjustment works only TCP traffic. You might be doing only TCP test with iPerf so each packet should be much shorter than the minimum mtu on the path. But since you said SSL VPN (TCP) was performing much better, I'm suspecting it might be related to UDP/ESP (IPsec) traffic over the internet. Or at least you can eliminate that factor.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean adjust mtu on interface that tunel is going out of? wan interface (that ipsec tunnel is connected with azure) or for example internal2 physical interface that I was performed test to virtual machine behind azure? Can you suggest changes for testing? What exactly mtu should I set on interface?
As I said while using the same network on FG but connecting to azure machine through ssl vpn tunnel (forticlient split tunneling to azure subnet) performance is 10x better.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The outgoing wan interface mtu to let the FGT to fragment in case the packet sides are bigger than the mtu. The opposite direction is dectated by Azure side mtu setting. LAN side mtu setting is for PMTUD by applications on Azure side, which works over the top to VPN layer.
For test purpose I wouldn't care if the mtu is optimum or not, so let's say 1400, which would be short enough for any intermediate carrier to pass traffic without fragmentation. I think the commands would look like below:
config sys int
edit PHY_INTERFACE
set mtu-override ena
set mtu 1400
next
end
I have no knowledge on Azure so you have to figure out how to do the same yourself.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, IPsec tunnel mtu is driven by the interface mtu automatically, or your don't have any control. That's why you need to change mtu on the interface.
Below is our exacmple of an interface mtu and the tunnel mtu driven by it. Please ignore it's oddly going out of "internal1" interface but in fact it's going out of the interface:
xxx-fg1 # fnsysctl ifconfig internal1 internal1 Link encap:Ethernet HWaddr 00:09:0F:09:FE:03 UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1 RX packets:31742093 errors:0 dropped:0 overruns:0 frame:0 TX packets:25140134 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:23363609075 (21.8 GB) TX bytes:6072201816 (5.7 GB) sea5601-fg1 # fnsysctl ifconfig OfficeBKP-VPN <--- VPN interface name OfficeBKP-VPN Link encap:Unknown inet addr:10.242.128.130 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1422 Metric:1 RX packets:77057 errors:0 dropped:0 overruns:0 frame:0 TX packets:155683 errors:1 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11304894 (10.8 MB) TX bytes:10212501 (9.7 MB) So the key is to let FGT fragment packets BEFORE encryption.
Related Posts
- Trouble Receiving DHCP Packet Over S2S... 277 Views
- I want to customize the FortiAnalyzer... 327 Views
- IPsec Azure 241 Views
- Wireless connected devices send traffic over... 315 Views
- Forward error correction (FEC) in fortigate... 259 Views
Labels
-
FortiGate
6,499 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
105 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.