We are running a full tunnel through our Fortigate 100E (1Gbps WAN) and we are never able to pull more than 60-70Mbps down through the FortiClient SSL VPN. Using IPSec, we max out at 120Mbps.
We are using speedtest.net to test (same test server for all tests). From inside the HQ we are able to max out the 1Gbps link up/down. The remote client off the VPN pulls 200Mbps.
Any pointers on what we can try adjusting to increase the throughput particularly on SSL VPN or is this just the limitation of the Forticlient?
The SSL VPN service spins up a per-user process to handle the connection, which I believe is basically PPP over either TCP or DTLS (UDP).
The process isn’t multi-threaded and can only use one of the CPU cores.
If you connect multiple users on the device, the aggregate will get up to the rated 250Mbps by using all of the CPU cores. The 60E, 80E, and 100E have quad-core CPUs.
This is based on my observations of SSL VPN on a 60E.
The remote client pulling 200mbps is probably good with your model - I checked the data sheet and it said the 100E gets 200mbps throughput with SSLVPN.
We are able to get 100+ mbps on sslvpn with dtls, but we have a 601E Gate. I believe any speeds beyond that are a limited by the FortiClient since the encryption is all done in software. Hopefully they’ll be able to offload to hardware someday soon.
I think possibly the 250mb is aggregate bandwidth, ie the unit has 4 CPU cores so can do 4 X 60mbs. SSL VPN is totally CPU bound, no offload whatsoever.
It does not say you will get 250mb in single session anywhere.
If you can, a migration of users to using IPsec will probably net you the best result. SSL VPN (especially web-mode) is highly taxing on hardware (as I suspect you’re now aware moreso than ever).