Optimizing FortiGate 3960E and 3980E IPsec VPN performance

You can use the following command to configure outbound hashing to improve IPsec VPN performance for the FortiGate 3960E and 3980E. If you change these settings, to make sure they take affect, you should reboot your device.

config system np6

edit np6_0

set ipsec-outbound-hash {disable | enable}

set ipsec-ob-hash-function {switch-group-hash | global- hash | global-hash-weighted | round-robin-switch-group | round-robin-global}

end

Where:

ipsec-outbound-hash is disabled by default. If you enable it you can set ipsec-ob-hash-function as follows:

switch-group-hash (the default) distribute outbound IPsec Security Association (SA) traffic to NP6 processors connected to the same switch as the interfaces that received the incoming traffic. This option, keeps all traffic on one switch and the NP6 processors connected to that switch, to improve performance.

global-hash distribute outbound IPsec SA traffic among all NP6 processors.

global-hash-weighted distribute outbound IPsec SA traffic from switch 1 among all NP6 processors with more sessions going to the NP6s connected to switch 0. This options is only recommended for the FortiGate 3980E because it is designed to weigh switch 0 higher to send more sessions to switch 0 which on the FortiGate 3980E has more NP6 processors connected to it. On the FortiGate 3960E, both switches have the same number of NP6s so for best performance one switch shouldn't have a higher weight.

round-robin-switch-group round-robin distribution of outbound IPsec SA traffic among the NP6 processors connected to the same switch.

round-robin-global round-robin distribution of outbound IPsec SA traffic among all NP6 processors.