Based on two recent support cases regarding the IPsec performance between an OnPrem and Azure FortiGate, we did some testing using the latest FortiOS 6.4.1.
We’ve created a basic IPsec tunnel using the wizard, deployed an Ubuntu machine at both sites and used iPerf3 to do some speed testing. The results were nowhere near the expected numbers, while sending from Azure to OnPrem (~250Mbit/s) was a bit faster than reverse (~120Mbit/s).
We’ve then checked the IPsec interface at the Azure site. The MTU and packet statistics looked good:
FGT-Azure # fnsysctl ifconfig Azure-OnPrem
Local-FortiGate Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1438 Metric:1
RX packets:832464 errors:0 dropped:0 overruns:0 frame:0
TX packets:2908302 errors:5 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:708921008 (676.1 MB) TX bytes:5037498099 (4.7 GB)We did the same at the OnPrem site and the figures weren’t great at all. The MTU had a value of zero and there were many errors regarding RX packets.
FGT-OnPrem # fnsysctl ifconfig OnPrem-Azure
Azure-FGT Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:0 Metric:1
RX packets:2826050 errors:420607 dropped:0 overruns:0 frame:0
TX packets:832986 errors:526 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4767963128 (4.4 GB) TX bytes:646053050 (616.1 MB)After manually setting the MTU of the OnPrem IPsec interface (to the same value as on Azure, new feature in FOS 6.4.1), the iPerf3 results greatly improved to the expected values (~600Mbit/s).
config system interface
edit "OnPrem-Azure"
set-mtu-override enable
set-mtu 1438
next
endAll we now so far is, that the algorithm to calculate the MTU of the IPsec interface had changed in FOS 6.4.x. We’re also planning to provide some troubleshooting tips using iPerf3. So stay tuned for an update – after summer vacation.
