VPN IPsec Tunnel to AWS ERP slow

VPN
1

Our company contracted with ERP support for building the server on AWS.

Recently, we try to use VPN to fetch the database’s data from the server to our local computer.

The reason we use the VPN is to want to fetch the database’s data to local PC’s excel for report propose.

The internet download speed is about 60mbps.

For testing, I try to copy a file from the server to the local PC, the transfer speed is about 6-7MB/s.

Also, I try to fetch the data to my local PC during the process I monitor the server’s network speed in the task manager, the transfer speed is only about 20mbps.

After I search through a lot of forums about this situation and I only get most users said the thing “MTU”.

But I am not a pro in networks and I cannot determine the problem is from the transport layer or the network layer.

Does anyone have any ideas? This is my headache for almost 2 months.

FortiGate info:-

FortiGate 100E v6.0.3 build0200 (GA)

IPsec Tunnel info:-

config system interface

edit “GSS AWS VPN”

set vdom “root”

set type tunnel

set snmp-index 12

set interface “wan1”

next

end

config vpn ipsec phase1-interface

edit “GSS AWS VPN”

set interface “wan1”

set keylife 28800

set peertype any

set proposal aes128-sha1

set dhgrp 2

next

end

config vpn ipsec phase2-interface

edit “GSS AWS VPN”

set phase1name “GSS AWS VPN”

set proposal aes128-sha1

set dhgrp 2

set auto-negotiate enable

set keylifeseconds 28800

set dst-subnet 172.16.100.0 255.255.255.0

next

end

config firewall policy

edit 18

set name “GSS to LAN”

set srcintf “GSS AWS VPN”

set dstintf “lan”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

set logtraffic all

set fsso disable

set profile-protocol-options “NoProxy”

next

edit 19

set name “LAN to GSS”

set srcintf “lan”

set dstintf “GSS AWS VPN”

set srcaddr “all”

set dstaddr “all”

set action accept

set schedule “always”

set service “ALL”

set logtraffic all

set fsso disable

set profile-protocol-options “NoProxy”

next

end

config router static

edit 8

set dst 172.16.100.0 255.255.255.0

set device “GSS AWS VPN”

next

end

2

Welcome to the reality of networking and TCP-based file transfers over long distances. TCP segments sent need to be ACKed to ensure that they were received as expected, and this process takes time which lowers transfer speed. Feel free to read any of the myriads of guides and blogposts about TCP and how it operates with regard to latency, MTU, bandwidth available etc.

Expecting more than 20 Mbps is not likely realistic from a single session. You could try splitting the transfer into multiple TCP sessions, allowing the cumulated bandwidth to get closer to 60 Mbps.

https://www.speedguide.net/articles/the-tcp-window-latency-and-the-bandwidth-delay-2678

3

Did you implement the VPN tunnel using the AWS provided Fortigate template? To me it looks like not. That document actually has some optimizations to MTU/MSS. Most servers work with MTU 1500 or above. Then you force those packages to VPN they are fragmented to smaller packets and slow down. You can also limit the MTU on server to test that, cap it to 1400 on the network interface routing towards AWS.

4

You are using between 48-56Mbs if you gettting 6-7MBs. This is pretty close to completely using your internet connection. I’m not sure how to optimize further unless you use a different copy protocol.

5

File transfers over tunnels slow down due to mtu. They’re expecting 1500 usually. Using the set tcp-mss commands on the policy targeting the AWS server can fix it or help.

Lot of people parrot the info on here that it’s just not going to be good doing things like SMB over tunnels and especially so over business broadband. I get pretty close to link speed with policies that include mss clamping. You do need to determine the MTU first and go from there.

If it’s an mtu issue usually you will notice the file transfer speeding up and slowing down constantly and after doing the clamping it will be consistent. This varies on the type of file transfer and the packet size it’s trying to use however.

Here’s the fortinet tech tip on it:

6

The 6-7MB/s was LAN transfer speed test to verify the server is capable. Over the VPN tunnel it is only 20Mb/s so 2.5MB/s.