Wan optimization on a FortiGate 111c

Objective: Testing WAN optimization over Internet using a Fortigate 111c, a Fortigate 30b and a client computer with FortiClient.

The HQ LAN network behind the Fortigate 111c unit is 10.0.0.0/16 and the LAN behind my Fortigate 30b unit at the remote office is 192.168.1.0/24. To connect the two networks I have a route based IPSEC VPN with the 30b running as a dialup client (no NAT), the VPN is verified and working.

I basically tried to follow Fortinets user guide just to get started (FortiGate WAN Optimization and Web Caching):

Fortigate 111c configuration

I created a new WAN optimization authentication group (WAN opt. & cache > Peer > Authentication Group > New)

• Name: auth-fc
• Authentication Method: Certificate
• Certificate: Fortinet_Firmware
• Peer Acceptance: Accept Any Peer

Then I created a Wan optimization rule (Wan opt & cache > Rule > create new)

• Mode: Full Optimization
• Source: 0.0.0.0
• Destination: 0.0.0.0
• Port: 1-65535
• Auto-Detect: Passive

Client PC configuration

Unfortunately the Fortigate 30b unit doesn't support WAN optimization directly, so I installed FortiClient (4.0.2.57) and enabled WAN optimization for all supported protocols. FortiClients firewall and VPN are both disabled:

Testing

That’s it supposedly. It sounds too good to be true, right? I thought so too, but I still decided to try copying some files from a file share to test performance (copy \\server\share\*.* c:\temp). I then checked the monitor on the 111c (WAN Opt. & Cache > Monitor) and things started happening:

Great, but why did it stop at 1.3 mb? I had more data? The cmd windows displayed an ugly “The specified network name is no longer available”. I tried again, but same thing happened.

How about other protocols? I tried Outlook 2007 SP2 for some MAPI / HTTP action! It seemed okay at first, but I noticed the status would go from disconnected to connected and back again every few seconds.

Perhaps we have an unstable connection? But no – a continuous ping from the client pc to the exchange server showed a stable and pretty quick response. Then I checked our main firewall (Checkpoint FW-1). It’s placed between the Fortigate 111c and the Internet.

Fortinets guide mentions that the WAN optimization tunnel uses port 7810, but checkpoint shows that there’s no sign of communication on this port to/from the Fortigate 111c, so everything passes through the IPSec tunnel, as indeed it should.

I then tried rebooting the 30b and the client PC. This resulted in all the WAN optimized protocols becoming entirely blocked. I had to disable WAN in order to do anything useful. After a while I reenabled WAN optimization in FortiClient but the above mentioned instability remains.

I suspected it could have something to do with me running WAN Optimization over the IPSEC connection and not directly between the 30b and 111c.

Time to get in touch with the distributor. Together with a support technician we tried a few things:

We tried disconnecting the 30b and instead running the built-in FortiClient VPN-client - the result was exactly the same. At least we now know the problem is not with the 30b. The support tech from the dealer was also able to reproduce the problem from his own FortiClient.

So we decided to try and get some assistance from Fortinet themselves, so until we get somthing there things are not moving forward :( Ohwell.. Friday - wohoo!