This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Very slow "throughput" over IPSec VPN

Maybe someone has seen similar and has some idea where to look....

I have two sites, Site A with a SG230 and Site B with a SG215 , both running firmware 9.603-1. 

Site A has a 200Mbps fiber link

Site B has a 20Mbps fiber link and a 100/20 cable link.

Connect the IPSec VPN between the two fiber connections. Run speedtests, everything "looks" fine from the speeds. But if I try and do or transfer anything between the sites it is horrendously slow. As per the UTM, and what the ISP reports, I'm never getting beyond 5Mbps. Now, same settings but I connect from Site B using the cable connection and everything is prefect.

So, fiber issue at Site B you say! I've had the ISP replace all their gear locally and run end to end tests. They are basically saying at this point it's my firewall that is the issue. My problem is everything runs fine over cable to fiber but not over fiber to fiber. I have no idea where to look or what might be causing this. I still think it is somehow the ISP's issue, but how to prove this to them?

Thanks,

Shawn



This thread was automatically locked due to age.
  • Hi Shawn,

    Hmmm, sounds like maybe an MTU issue.  Do you already have 'Support path MTU discovery' selected in the 'Advanced' section of both Remote Gateways? (Note that allowing path MTU discovery requires that ICMP type 3 code 4 be allowed between the devices.)  If so and you're still seeing the same problem, use ping to determine the correct MTU by pinging the remote internal IP from your internal IP and then do the same from the other side:

    secure: # ping -I 172.30.0.1 172.30.1.1 -s 1500 -M do
    PING 172.30.1.1 (172.30.1.1) from 172.30.0.1 : 1500(1528) bytes of data.
    ping: local error: Message too long, mtu=1406
    ping: local error: Message too long, mtu=1406

    If you don't see a limited MTU, you might try changing the Internal interface to another NIC on the UTM connected to the server from which you're downloading - I have a client on the West Coast where we left Internal on eth5 because of a similar problem on their original SG and on the replacement I organized for them.

    What's new?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think you might have been right Bob. I selected the "support path MTU discovery" on both units, reconnected the VPN and did some test copies. Now on Site B, copying from Site A a copy is getting between 1.5 and 2 MBps and spiking to 2.8MBps which is pretty good. :) On the dashboard I can see Site B Fiber line maxing at between 19 and 20 Mbps.