Hot!Site to Site IPSec VPN slow file transfer speeds.

Author
Mick
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/11/11 21:50:10
  • Status: offline
2019/06/13 14:43:02 (permalink)
0

Site to Site IPSec VPN slow file transfer speeds.

Site to Site IPSec VPN Gateway using two Fortigates. Branch has an 80E Firmware v6.0.2, Headquarters has a 300D Firmware v5.6.6.
 
Problem: End users reporting very slow file access from the fileservers located at headquarters.
File transfer speeds between the two sites averages 425 Kbps for Data only.
Should I expect better file transfer speeds between the two sites?
 
Note: VoIP works great. Speeds out to the Internet are great.
VoIP and Data are configured to use the same port on the Fortigate 80E.
 
I'm using Windows Explorer and copying a file from the (Windows 2016 Server) fileserver to the desktop (combo of Win7 and Win10 pro) to test the file transfer speeds. 
Iperf between the two sites using the default settings for TCP.  I didn't change the Window size. Average speed was between 2 to 3 Mbps.
Ftp'ed between the two sites average speed was 1.5 to 2.0Mbps.
Distance between Branch and HQ 34 miles.
 
Branch has 30 pc's and 30 VoIP phones. 30 Employees, rarely has more than 10 employees at a time using their pc's.
 
80E Spec sheet notes Gateway to Gateway IPSec VPN Tunnels 200 I'm guessing they mean 200Mbps.
IPSec VPN Performance test used AES256 and SHA256. We're using 3DES SHA1
 
I'm using the document at this link as a guide for troubleshooting. https://forum.fortinet.com/tm.aspx?m=151195
Thanks to Toshi Esumi
 
Branch ISP Router settings 400Mbps Download, 20Mbps upload. Headquarters 250Mbps Upload and Download. Duplex is Full.
Internet Speedtest done using www.speedtest.net - This site has two options Multi and Single.
Branch - Multi - 420Mbps Download 22Mbps Upload - Single 255Mbps Download 14Mbps upload.
Headquarters - Multi - 102Mbps Download 160Mbps Upload - Single 81Mbps Upload - 169Mbps Download.
 
Fortigates Speed and Duplex set to Auto Auto 1GB Full Duplex. Cisco Switches are also set to Auto Auto 1GB Full Duplex
Checked Speed and Duplex for mismatches between the Fortigates, and the switch. There are none.
ISP rep's state there are no errors on router interfaces.
Checked Fortigate Interfaces for errors, there are none. Checked desktops and fileserver interfaces for errors there are none.
I've thought about hard coding the speed and duplex on the interfaces, but we have no crc, tx, rx errors.
 
Ran continous ping checks between the public and private interfaces. Looking for dropped packets, there were none.
Ran Tracert from both ends, no drops.
 
Setup folder and shared them on two laptops. Put a laptop at each end of the campus.  Copied files between them, speeds are great.  20mb file copies between the two laptops in 5 to 7 seconds.
 
FortiAnalyzer I see some ip-conn and client-rst and server-rst records in the logs for traffic between the desktops and the fileserver.
 
 
Surf the Internet for Fortinet and slow SMB IPSec file transfer speeds and you come up with a lot of hits.
Here's a few other links that mention slow ipsec vpn speeds. One has claims that a bug is the problem.
https://forum.fortinet.com/tm.aspx?m=154946
https://forum.fortinet.com/tm.aspx?m=172121
https://forum.fortinet.com/tm.aspx?m=166340
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_80E_Series.pdf
 
What other steps can\should I take to troubleshoot the problem?
If you need additional information please let me know.
 
Thanks for your time.
#1

11 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6046
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/13 23:58:05 (permalink)
    0
    First, I'd upgrade to v6.0.5 and v5.6.8 (not v5.6.9) to make sure you get most of the bug fixes.
     
    Then, as the branch line is asymmetric I wonder if the upload speed throttles the download. SMB is a LAN protocol and a pita on WAN. With a continuous ping, if the RTT goes up 10fold during an SMB transfer then it's the upload speed issue.
     
    To eliminate the VPN you could set up a second FGT on site (via patch cable), create a IPsec VPN to HQ and then transfer via SMB. That should give you almost wirespeed (for iperf) and some 50% for SMB, or even less. Now you can see how much the protocol is taking away from line speed.
    There are 2 more pitfalls I can think of:
    1- the IPsec is not offloaded to the SP (NP6). In FortiView, you can see 'all sessions', in one column there will be a ASIC icon if the session is offloaded. If not, the CPU of the 80E will limit throughput a lot.
    2- you would have mentioned if you had an AV profile on the policies for SMB, wouldn't you? SMB AV still is, er, in the first stages and not yet fully optimized, if ever. Run without any UTM profiles.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/14 14:47:22 (permalink)
    0
    Update
    I created a shared folder on my pc at HQ.  I also setup a shared folder on another Win2016 server that's not heavily used.
    From my laptop at the Branch back to my desktop at HQ.  I average between 3 to 4 Mbps using Windows Explorer to transfer the file.
    To the fileserver I'm still averaging about 400Kbps.  I'm using the same file.  I expected to see better speeds from this other file server because it's not used as much as the first one.  Idea's or suggestions appreciated.
    #3
    emnoc
    Expert Member
    • Total Posts : 5243
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/14 16:04:18 (permalink)
    0
    I would ensure the tcp.mss value are set to a respectable value. A pcap will probably show re-transmits and this will greatly impact your  thru-put
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/18 08:44:20 (permalink)
    0
    @Ede
     

    #1 Fortiview – All Sessions – Source column – There are no Icons – I’m not sure of what the ASIC icon looks like.  I’ve googled “Fortinet and Fortigate ASIC icon or image but I’m not finding it.  Isn't the Fortigate configured to offload to the SP (NP6) by default?
     
    #2 No UTM profiles are in play.
     
    >>To eliminate the VPN you could set up a second FGT on site
    We don't have a second Fortigate on hand.
     
    >>With a continuous ping, if the RTT goes up 10fold during an SMB transfer then it's the upload speed issue.
    You mean run a continuous ping from the Fortigate to the file server. While copying a file from the file server.
    Is this correct?
     
    >>First, I'd upgrade to v6.0.5 and v5.6.8 (not v5.6.9) to make sure you get most of the bug fixes.
    I can upgrade the branch to v6.0.5.  The HQ I'd have to setup a maintenance window.  Why not upgrade HQ to v6.0.5 as well, is v5.6.8 more stable?
    #5
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/18 08:45:28 (permalink)
    0
    @Ken,
     
    The tcp.mss value is set to 1300.
    #6
    mb23531
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/19 07:44:49
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/06/19 08:17:19 (permalink)
    0
    Hi,
     
    I had a slow site to site VPN for a while after upgrading from a 200D to 200E (other end was a 90D) but only in one direction. Both sites has 100Mbps internet but upload from the 200E was only going around 20-40Mbps over the VPN.
     
    After a lot of troubleshooting and reading documents, the issue for me was down to setting inbandwidth and outbandwidth on the WAN interfaces. From the Hardware Acceleration manual, "Configuring outbandwidth traffic shaping imposes more limiting than configured, potentially reducing throughput more than expected". As soon as the values were unset, the speed of the VPN is now almost 100Mbps again
     
    I'm not sure if this will apply to you but I have seen posts with slow VPNs and this is not mentioned.
     
    Regards
     
    Martin
    #7
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/07/09 14:47:17 (permalink)
    0
    @Martin,
     
    Thanks for the feedback.  I've not seen that mentioned either.
    #8
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/07/09 14:55:21 (permalink)
    0
    @Martin,
     
    No joy, mine are set to 0 and 0.  Still a handy hint though.  Thanks
    #9
    Toshi Esumi
    Expert Member
    • Total Posts : 1643
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/07/31 10:27:45 (permalink)
    0
    By now, you probably exhausted options we can suggest without touching it, including iperf test. It's time to open a ticket for TAC to look into it directly.
    #10
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/08/20 08:03:45 (permalink)
    0
    All - System uptime is 35 days.  Firmware version 6.2.5
    Can someone tell me what they think about how to solve these tx errors?  This was setup by the site to site VPN Wizard.  The actual ports in play don't have any errors.  Thanks
     
    Branch To Home Link encap:Unknown
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1446 Metric:1
    RX packets:13026568 errors:0 dropped:0 overruns:0 frame:0
    TX packets:14431227 errors:2787751 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:4713551740 (4.4 GB) TX bytes:3187493158 (2.10 GB)
    #11
    Mick
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/11 21:50:10
    • Status: offline
    Re: Site to Site IPSec VPN slow file transfer speeds. 2019/08/20 13:53:49 (permalink)
    0
    Correction Branch Office is version 6.0.5, I've updated Headquarters to version 5.6.10.
     
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5