Slow downloads on smartphones connected over AP

Hi,

we have a WiFi running for our smartphones mainly to update Android and apps. WiFi is offered through an AP55. Only smartphones can connect based on their MAC address. There is an own firewall rule for these connections with the following options active: HTTP scanning, block Google QUIC, detect zero day malware with Sandstorm, Scan FTP.

Unfortunately downloads are very slow. App updates take a long time and Android updates are canceled at a certain point by the smartphone itself.

As all updates are done over secure socket layer protocol and HTTPS scanning is not active I wonder what could be the reason. I checked the IP addresses that are used during update and always got to https://r3---sn-h0jeened.gvt1.com/ and https://r4---sn-h0jeened.gvt1.com/ so I excluded gvt1.com from HTTPS scanning, malware scanning and sandstorm. But also this showed no improvement on download speed.

Currently I wonder if the throughput of the AP55 is that slow?

 

Does anybody have any suggestions? Thanks.

  • In reply to LuCar Toni:

    Why should it be ok after recreating when it was already created with the current firmware?

    What if I create an additional wifi network which creates an additional wireless interface? Should this have an MTU of 1500 right now (without deleting and recreating the other networks)?

  • In reply to Jelle:

    The MTU Size (1450) is written in der Database. 

    So can you explain the history of your current installation? Because we dont change such thing with a firmware update. Basically the appliance should create everything new with the correct value (1500). 

    But dja already explained, it is not. So i have to assume, that the appliance does not allow to create 1450 and 1500 on one access points (which is clearly correct, because this would cause a real mess). 

    So basically if you delete everything from the wireless protection and maybe disable and enable the wireless protection, the new created wireless network should work fine. 

    You could also go with the Sophos Support. I could be possible to change the MTU Size via database, but i would not do that. 

    tbh, recreating wireless protection is a 5-10 minute task. 

  • In reply to LuCar Toni:

    The appliance was first installed in february 2018 with SFOS 17 and was directly updated to 17.0.5-MR5. It has been updated to 17.1.1-MR1 about 5 weeks ago. WiFi with AP55 was set up about 3 weeks ago. So where comes MTU 1450 from when it was fixed in 16.05?

  • In reply to Jelle:

    I cannot tell you, how this can happen. 

    I already checked three appliances right now. All Wireless Networks are correct there. 

    And this is the first time since 2 years, where i could find such an issue. 

     

    Found some threads about this. 

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/76768/unacceptable-guest-wifi-performance-regular-wifi-is-ok

     

    Also interesting is the initial firmware. You updated it "directly to MR5". From which version? 

  • In reply to LuCar Toni:

    ManBearPig

    So i have to assume, that the appliance does not allow to create 1450 and 1500 on one access points (which is clearly correct, because this would cause a real mess). 

    Tested again and you're right. I've created a new Wireless Network, it has a MTU size of 1500. Then I assigned this new Wireless Network to an existing AP, now it has a MTU size of 1450.

    We've also would prefer to just change the values, instead of re-creating several Wifi networks...

    PS: We're coming from SFOS 15. It has been a loooong way. ;)

  • In reply to dja:

    I can confirm that. A new wireless network has MTU 1500 until assigned to the AP. Then it has MTU 1450. Unassigning it from the AP has no effect, MTU still is 1450. So I have to delete all wifi networks (3 active networks) and then do what? Delete the AP?

  • In reply to Jelle:

    Hi,

    Seems like the config of the MTU is attached to the AP. 

    So delete the AP and try to attach it again to the AP. Should stay with MTU1500 and this will most likely resolve all your issues. 

  • In reply to LuCar Toni:

    do you work with a testing system? Would it then be possible to test this? Our XG and WiFi are productive system so I wouldn't want to test it on them.

  • In reply to LuCar Toni:

    ManBearPig

    So delete the AP and try to attach it again to the AP. Should stay with MTU1500 and this will most likely resolve all your issues.  

    I'm not quite sure. I've used a dedicated AP and a new Wireless Network for testing. Both of them never have seen SFOS 16.05.2 before. But now I know where to look, so I'll test it again.

    Jelle

    dja do you work with a testing system? Would it then be possible to test this?

    Not really, but I think tommorow I will have some time for testing. :)

  • In reply to dja:

    Also possible to contact the Sophos Support. But i am not quite sure, which way is most likely the fastes. I would recreate everything, because it take only couple of minutes. Delete the Network, delete the AP, disable the Wireless Protection. Enable it and add the AP plus create the wireless network. 

  • TBH I don't expect MTU to be the root cause of your slowness. Google Play and some other on Android often used services doesn't play well with AV scanning or MITM of the proxy. Especially AV scanning might create delays which can interrupt downloads and let them fail

     

    I collected over time following list of UTL's, which I exculde from everything (HTTPS, Sandstorm and AV and Policy) in the web proxy

     

    ^([A-Za-z0-9.-]*\.)?ytimg\.com\/

    ^([A-Za-z0-9.-]*\.)?gvt1\.com\/

    ^android\.clients\.google\.com\/

    ^play\.googleapis\.com\/

    ^([A-Za-z0-9.-]*\.)?googleapis\.com\/

    ^connectivitycheck\.gstatic\.com\/

    ^([A-Za-z0-9.-]*\.)?googleusercontent\.com\/

    ^([A-Za-z0-9.-]*\.)?ggpht\.com\/

    ^([A-Za-z0-9.-]*\.)?youtube\.com\/

    ^youtubei\.googleapis\.com\/

     

    works fine for me. As I also have Sophos AV (SMSEC) installed on my android phones, bypassing those sites from scanning will not hurt too much. If your phone is updating via mobile networks, you're also no better protected ;o)

     

    /Sascha

     

  • In reply to LuCar Toni:

    ManBearPig

    I would recreate everything, because it take only couple of minutes. Delete the Network, delete the AP, disable the Wireless Protection. Enable it and add the AP plus create the wireless network. 

    Not so easy. We're using many hotspot vouchers and I'm not willing to risk that all vouchers are getting unusuable.

    SaschaParis

    Google Play and some other on Android often used services doesn't play well with AV scanning or MITM of the proxy.

    In our case it's not limited to Google services. We're experiencing general Guest Wifi performance problems. Even if I download a Debian image. If we disable Scan HTTP and Web Policy the throughput is getting normal. As said, we're also using this two components in several other Network Rules, there are no problems with them at all, only in Separate Zone Wifi.

     

    I've just deployed a new AP and configured a new Wireless Network for it. Inital the Wireless Network has a MTU of 1500. After I've assigned it to the AP, the MTU is now 1450 again. :(

  • In reply to dja:

    You will most likely loose all your Voucher. So better open a ticket with the support for some help. 

  • In reply to LuCar Toni:

    ManBearPig

    So better open a ticket with the support for some help. 

    Sadly Support says they can't change the MTU value.

     

    Since I've already configured a new Wireless Network on a new AP and it didn't work, who says it will work if we reconfiguring everything from scratch. :-/

  • In reply to dja:

    Do you have a support ticket id for  ? 

    I am just trying to help you with some hints.