Slow Throughput after installing v18 EAP

Hi,

I upgraded from v17.5.8 to v18 EAP about a week ago and noticed a drop in performance and an increased RAM usage.

I do have a XG115 rev2 Appliance installed with the Software  Image and a Home Use License.

My Internet connection is 100/40.

With version 17.5.8 I was able to reach about 80 to 90 Mbit download (I already expected more from the hardware)

After the Upgrade I only reach about 50 to 60 Mbit download. There is no DPI or webfiltering activated and it doesn't matter if i activate IPS or not.

SSL/TLS Inspection is turned on but there are not any rules.

Are there any tweaking options for the software version of Sophos XG running on a HW Appliance?

Thank you!

  • As posted in the initial Announcement: 

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-fire-eap-firmware-is-here

    • The firmware has yet to be tuned for performance. Expect to see faster speeds in future builds.

     

    Do you use a hardware Bridge? 

    Do you use IPS?

    Do you use SSLx (even one rule with "Do not Decrypt")? 

  • In reply to LuCar Toni:

    I just would like to know if there are some switches which would increase performance when using a appliance with a software image.

    No bridge is in place.

    I tried ot with and without IPS. Didn't make any difference.

    SSLx is not in use. Only the default rules are in place.

  • I have 300x30 service and was getting higher than that on 17.  Since going to 18, the max I get is also 50-60 down.

    I have SSL/TLS inspection disabled.  I'm in the same boat, no matter what I've tried disabling, there's no change in performance.  Hopefully the next release will be out sooner than later!

     

    On the positive note, the admin interface is MUCH faster than v17 was.

  • In reply to LuCar Toni:

    Hello,

    Is there any news on this question?

    I’ve been using v18 EAP 1 since launch, and the performance difference between v17.5.8 and v18 is wierd. The v18 has supposed to be faster, but it’s slower.

     

    I’m currently with Intel J1900 + 8GB ram with Intel 82576 NIC.

    I’ve made a clean installation, and used IPS GeneralPolicy, ATP (Log and Drop), Default Policy for Web and no HTTPS Decrypt for the testing.

    v17.5.8, I would be able to get 260mbit/s which is my WAN download limit, while using less than 45% of CPU usage. With HTTPS Decrypt on, i still has able to get 260mbit/s.

    v18, i can barely get 120mbit/s, that’s without TLS/SSL Inspection or HTTPS Decrypt via Web Proxy. If i use HTTPS Decrypt via Web Proxy, i would get the same speeds on any HTML5 speedtest. With TLS/SSL Inspection the throughput would get even lower to 80mbit/s.

    Here’s how it looks like with top on v18. Snort is always using 100% of the CPU.

     

    Is there anything that i can do to archive better speeds. Or it’s an issue in my end?

     

    Thanks,

  • In reply to Prism:

    Interesting thread. Someone from Sophos dev team should investigate on that. It is still a beta and they still adjusting “the code” but your case seems to be interesting.

  • In reply to lferrara:

    I saw this issue earlier. As far as i know, its already fixed in the next version.

     ? 

  • In reply to LuCar Toni:

    Hi folks,

    my throughput is the same, but response times have blown out and ram usage is up which I assume is caused by all the debugging code left active.

    Ian

  • In reply to rfcat_vk:

    I think ram usage is going to stay about the same due to additional DPI engine. They are not supporting appliances less that 4GB. I even tried installing a vm with less that 4GB and the installation fails. Even after installation, if you try to decrease the ram in a vm, the firewall goes to safe mode if the ram gets below 3600MB.

    I also found that the load average is considerably higher compared to v17.xx Compare you old load average graphs and there is definitely an uptick.

  • In reply to Billybob:

    Hi Billyboy,

    RAM increase is fine, but going from low 40% to low 70% is a rather large increase on a 6gb system.

    Also as you point ou the load has increased from just over 2 to just under 4.

    So we wait and see what the next version brings?

    Ian

  • In reply to LuCar Toni:

    Could you retest V18 EAP1 Refresh1? 

  • In reply to LuCar Toni:

    Hi,

    I've retest it on V18 EAP1 Refresh1, throughput still the same as v18, which is way slower than v17.5.8. I've decided to go back to v17.5.8 just to do some testing again, because i through could be something wrong with my hardware, but the throughput difference still high.

    Here's an CPU Usage graph from v17.5.8, while using all my WAN download throughput limit, 240-260 mbit/s. With IPS on generalpolicy.

     

    Here's on v18 EAP 1 Refresh 1. You can see the CPU spike at 8:30, that's when i decide to try download centos 8, throughput limit at it has 130mbit/s

     

     

    I didn't take any pictures, but for fun i've decide to make a VM of v18 EAP1, with 4 cores/6GB ram(Host => Ryzen 1700, 32GB ram), while on v17.5.8 I could get gigabit speeds on it (Using VirtiO Drivers i could get aroung 1.2 - 1.4 Gbit/s), on v18 the max speed i would get has aroung 480-510 mbit/s on iperf3.

     

    Thanks,

  • In reply to Prism:

    Could you please verify the used drivers in V18? 

    Check please via ethtool of each interface. 

  • In reply to LuCar Toni:

    SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool -i Port2
    driver: igb
    version: 5.3.5.20
    firmware-version: 1.2.1
    expansion-rom-version:
    bus-info: 0000:01:00.1
    supports-statistics: yes
    supports-test: yes
    supports-eeprom-access: yes
    supports-register-dump: yes
    supports-priv-flags: no


    SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool -i Port1
    driver: igb
    version: 5.3.5.20
    firmware-version: 1.2.1
    expansion-rom-version:
    bus-info: 0000:01:00.0
    supports-statistics: yes
    supports-test: yes
    supports-eeprom-access: yes
    supports-register-dump: yes
    supports-priv-flags: no

  • In reply to Prism:

    Can you please show us the output of ethtool without -i ?

  • In reply to LuCar Toni:

    SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool Port1
    Settings for Port1:
            Supported ports: [ TP ]
            Supported link modes:   10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Supported pause frame use: Symmetric
            Supports auto-negotiation: Yes
            Supported FEC modes: Not reported
            Advertised link modes:  10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Advertised pause frame use: Symmetric
            Advertised auto-negotiation: Yes
            Advertised FEC modes: Not reported
            Speed: 1000Mb/s
            Duplex: Full
            Port: Twisted Pair
            PHYAD: 1
            Transceiver: internal
            Auto-negotiation: on
            MDI-X: off (auto)
            Supports Wake-on: pumbg
            Wake-on: g
            Current message level: 0x00000007 (7)
                                   drv probe link
            Link detected: yes

     

    SFVH_SO01_SFOS 18.0.0 EAP1-Refresh1# ethtool Port2
    Settings for Port2:
            Supported ports: [ TP ]
            Supported link modes:   10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Supported pause frame use: Symmetric
            Supports auto-negotiation: Yes
            Supported FEC modes: Not reported
            Advertised link modes:  10baseT/Half 10baseT/Full
                                    100baseT/Half 100baseT/Full
                                    1000baseT/Full
            Advertised pause frame use: Symmetric
            Advertised auto-negotiation: Yes
            Advertised FEC modes: Not reported
            Speed: 1000Mb/s
            Duplex: Full
            Port: Twisted Pair
            PHYAD: 1
            Transceiver: internal
            Auto-negotiation: on
            MDI-X: off (auto)
            Supports Wake-on: d
            Wake-on: d
            Current message level: 0x00000007 (7)
                                   drv probe link
            Link detected: yes