Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 13204 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Remote Access slow speed on internal servers

Paul Kocher

Hey everybody!

Yesterday I started testing remote access (SSL). This all works fine - The DNS resolves all internal hostnames and also accessing internal servers isn't an issue.

However when I use one of the main programs we use in our company, working with it is really slow.

The program connects to a SQL-Server in the LAN. When I'm on site this takes no longer than a few seconds - using SSL it's stuck for almost a minute.

So I tried copying some files back and forth and realized it wasn't really a speed issue.

 

Also I would say the firewall is set-up correctly.

Since I had slow speed using the VPN on the first try I changed the protocol to TCP and changed the Port, too.

Compression is enabled.

 

Anyone else ran in this problem and was able to fix it?

Searched for answers for hours but couldn't find anything matching my problem.

 

It only really happens when other programs are accessing internal servers.

 

Cheers Paul



This thread was automatically locked due to age.
  • 0

    Hi Paul,

     

    Yes, tried that too and depending on the application it might not be easy to solve.

    SSL VPN is not really really fast, and it should performance wise run best with the UDP protocol and compression on if you have enough spare cpu resources on the firewall.

    Either way, the lag and bandwidth limitations on SSL VPN generates a pretty steep penalty on SQL traffic.

    You might want to make sure that IPS or QOS it not capturing your traffic as fx. flood.

     

    Remember when you change protocol to also download a new config for your client.

     

    You might want to make sure that your SQL server support TCP/IP connections and not only named pipes, also access it if possible directly on the IP adresse to avoid further lag on dns lookups.

    If neither works, as it was the case here with a financial application locked in most connection setting, we had to setup remote app lunch via rdp for the application.

     

    In our development department we offer the developers to SSH tunnel into their LAN and run sql and development tools thru the SSH.

     

    Sorry, no golden solution from me but maybe a few new places to look and tweak.

     

    Good luck

  • 0

    I like Vels' suggestions.  Did you try #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi Paul,

    Here are the fastest possible VPN settings.

    1. Using a UDP port for the connection

    2. Encryption: DES-EDE3-CBC

    3. Authentication: MD5

    4. Key Size: 1024

    5. Having 'Compress SSL VPN traffic' check both ways enabled/disabled.

    Import the SSL client config after the change.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung,

     

    If I change my settings to your recommended settings. do i need to redownload the remote client profile?

     

    Do you know if there is a way to create a test profile for remote access?

  • 0 in reply to Macky

    Hi Macky, 

    Yes, you need to redownload and import the new updated configuration file.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML