SSL Client download speeds limited at 10Mbps, upload speeds 150+ Mbps

VPN
1

I have a fortigate 200F. FortiOS 7.0.13. ISP connection is 200Mbps up/down. Up until about a week ago I had perfectly acceptable up/down ~80Mbps speeds each way using the SSL VPN. Then out of nowhere, my client download speeds dropped to about 10Mbps. My upload speeds are still normal.

I’ve testing using iPerf and an internal speedtest site we have. I’ve tried enabling the DTLS Tunnel setting. I tried disabling NPU-Offloading.

When I did a top while ssh’d into the fortigate, CPU usage is minimal during downloads and hits maybe 25% on uploads.

I made sure there weren’t any traffic shaping policies applied to the rules affecting the firewall.

I have an L2TP vpn running on a separate server that still get’s good up/down speeds. I temporarily opened a port and tested speeds without VPN and they were fine.

I’ve rebooted the unit a couple times.

I opened a support ticket with our vendor, but they appear to be stumped at this point as well because I haven’t heard back from them again.

Anyone have any suggestions to try, or ever had this happen to them?

Edit: So I ended up downgrading to firmware 7.0.12 and now my speeds have returned to normal. Actually a little better than normal now that I have DTLS enabled.

2

Dtls usually helps. Check in vpn logs if dtls tunnel establishes. Funny enough I have the same issue ongoing now (same firmware version), I’ll let you know if I find out something.

3

Have had the same in the past, and as per other user, DTLS on the client fixed that up nicely.

4

Which SSL Client version you are using?

5

I upgraded from 7.0.12 about three weeks ago. I suppose that could have been the problem, but I think someone would have noticed before last week. I don’t really want to try downgrading yet as it will require a little downtime.

6

I had a call with our vendor who pulled in Fortinet support. Pretty much the first thing we did was check DTLS. I had it enabled on both the Forticlient and our Fortigate SSL Server, however I’m using a VIP to forward to a non-root vdom. The policy on the VIP had UDP traffic blocked.

Once I enabled that, speeds improved from 10Mbps to 20-30Mbps. But still not the speeds I was getting previously. They took some logs and escalated, so hopefully I hear back soon. Thanks for your suggestion!

7

7.2.2.0864. I was using 7.2.0.something but upgraded once I started having issues. Didn’t make any difference.

8

Let us know what you find, always good to get real world feedback :slightly_smiling_face: