Appendix C - VPN performance
Latency
High latency can have a significant impact on a user’s observed internet performance.
When using FortiSASE, the goal is to ingress and egress traffic from the Fortinet network while introducing the smallest possible amount of network latency. FortiSASE achieves this by using high-quality internet service providers (ISP) and internet exchange points to minimize network hops.
In general, physical distance (e.g. the speed of light) and third party ISP routing to the last-mile introduce most network latency between the user and FortiSASE point of presence (PoP).
Evaluating and selecting PoPs for lowest latency
Prior to provisioning FortiSASE, evaluating which FortiSASE PoP will provide the lowest latency to your end users’ locations and selecting these during provisioning is recommended.
To determine this, you can test the egress IP addresses in Appendix A - FortiSASE data centers via ping, traceroute, or mtr.
Keep these latency thresholds in mind when evaluating these selections:
|
Latency level |
Impact to performance |
Latency (milliseconds (ms)) |
|---|---|---|
|
Ideal |
Best performance |
< 20 ms |
|
Acceptable |
Slightly impacted |
20-60 ms |
|
High |
Moderately impacted |
60-100 ms |
|
Extreme |
Significantly impacted |
> 100 ms |
Jitter and packet loss
Even if you observe ideal latency of under 20 ms in testing, packet loss and jitter can significantly impact performance.
- Jitter should be under 30 ms.
- Packet loss should be 0%.
You will observe significant degradation particularly for real-time communications (VoIP, video, and so on) beyond 30 ms of jitter and/or 1% packet loss.
Resolving increased latency with SSL VPN support for DTLS
While downloading a large file (100 MB or above) when using FortiSASE, you may observe increased latency (280 ms or above). SSL VPN support for DTLS is supported in FortiClient to resolve increase latency. See Supported FortiClient features.
Starting in 23.4.b, DTLS support is enabled by default for existing and new FortiSASE instances.