Poor SSL VPN performance when using TCP

Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

Do you use Compression on SSLVPN? 

Did you try Sophos Connect 2.0 or the OpenVPN Client? 

Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

Likely caused by MTU Issues: https://forums.openvpn.net/viewtopic.php?t=25039

I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

What XG unit are you currently having issues with?

What XG unit are you currently having issues with?

With all i tested so far. XG210, XG125, XG105 and even the software Version running on Intel i5 Quadcore with 6GB RAM. They all behave the same. With TCP, regardless of the port used, i am not able to get more than ~16 Mbit/s. With UDP these problems simply don't exist.

I am currently in the process of reproducing this. Do you know, if this issue started with a specific version? 

Also recommend steps to create a Support Case for tracking purpose. 

I've created a ticket yesterday, here is the number: #9942092

This is pretty much a bug in the XG Firmware, since i reproduced it on multiple devices with different internet connections. We also have a few SG125 devices in use and i can assure you that UTM does not have this problem at all.

I also use UTM @home as virtual appliance and get the full ~53 Mbit/s Upload, using any TCP port i want with SSL VPN. For testing purposes i installed a virtual XG firewall on the same hardware and i see the same behaviour as with our customers appliances: TCP SSL performance is pretty bad. Thinking of that, you should easily be able to reproduce this. Otherwise, if someone really needs access to get packet captures, we need to do this at my work time.

To answer your question: unfortunately i don't know if it ever worked properly on XG, since the problem came just to us because so many people are working from home right now and complain about bad VPN performance. After i installed a blank XG @home wich showed the same behaviour, knowing that UTM does not, since i use it for years right now, i am sure that this is releated to XG firmware and should affect pretty much everyone. Of course if you don't have an upload big enough to run into this, it won't be identified as a problem at all.

I did the following tests just yesterday:

Hardware: XG210
Internet connection: ~1000 Mbit/s down, ~80 Mbit/s up
UDP SSL VPN: ~60 Mbit/s
TCP SSL VPN: ~11 Mbit/s

Hardware: XG125
Internet connection: ~90 Mbit/s down, ~38 Mbit/s up
UDP SSL VPN: ~30 Mbit/s
TCP SSL VPN: ~11 Mbit/s

Virtual Home Appliance
Internet connection: ~1000 Mbit/s down, ~53 Mbit/s up
UDP SSL VPN: ~53 Mbit/s
TCP SSL VPN: ~16 Mbit/s

FloSupport / KingChris Could we take a look into this? 

Hi Dreamcatcher 

Thanks for sharing your case number and providing additional information.

I'll have someone from the Community team help take a look and follow up with you.

We also have this issue at our office. SSL VPN over TCP is DOG SLOW. We're using an XG 210 as our edge device. I did a late night test a couple times switching the config to UDP, and there's no contest. SSL VPN over UDP performance absolutely smokes SSL VPN with a TCP tunnel. Using TCP we're also limited to about 2Mbits throughput right now. I just thought it was a limitation of a TCP tunnel.

I'm in the process of setting up all our people using Sophos Connect with IPSec so I can change the SSL VPN config to a UDP tunnel and then slowly migrate everyone back. If the TCP performance could be fixed in an update, that would be so much nicer.

Thanks,

Tim

Hey Tim,

i can assure you that this is not related to TCP per se, but to XG in particular. UTM (SG firewall) does not have performance problems with TCP SSL VPN. I get my full 53 MBit/s with TCP, while UDP is fluctuating around 45-53 Mbit/s. Taking that into account, TCP is even a bit more stable than UDP on UTM. Since i didn't alter the MTU size on neither XG, nor UTM (it's 1500 on both by default), i can rule out an MTU issue. If this was really a problem, UTM should show the same bad TCP SSL VPN performance as XG, which it clearly isn't.

Could we try to get at least some related information.

As you can reproduce this on multiple appliances, i am curious, how those appliances could be related.

Maybe something like "all appliances are sitting behind another router from provider X", "All Appliances are installed with a ISO from Firmware X". 

Hello,

these appliances belong to different customers, so they have nothing in common but being XG firewalls. I thought this would be clear as i wrote that i tested them with different internet connections. The XG210 is sitting behind another router that is configured to pass all traffic to it, the others are connected directly, thus holding the WAN IP too. They have been installed on different times, with different images, but now sharing roughly the same version with 18.0 GA-Build379 being the oldest one, since i am keeping all appliances up-to-date. The XG210 i gave you access to was installed on 11th march this year with the then up-to-date image. The XG125 was installed years ago and my virtual applicance was just installed to test this, so just some days ago. Theoretically i have much more XG firewalls to test, but those are not connected to internet connections fast enough.

More interestingly: Did you try to reproduce this? I really can't imagine that this is was not reproducable at all.

I did another test with a fresh installed virtual XG. I used the latest software .iso from here: https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-mr1-build396
It is connected to my home connection (1000 Mbit/s Down, 53 Mbit/s Up) and holds my public WAN IP. No other routers are involved. I even didn't register or activate it.

Everything i configured was the following:

01. Configured default CA (for obvious reasons)
02. Created a firewall rule to allow all traffic from VPN zone to ANY
03. Created a SSL VPN remote access profile for use as Default Gateway
04. Created a testuser
05. Added testuser to group "Open Group" and selected the remote access profile created in step 3
06. Downloaded SSL VPN Client from Userportal and installed it on a machine hosted in a remote site
07. Connected VPN and went to https://fast.com for a speedtest. Result: 14 Mbit/s
08. Changed default SSL Settingsfrom TCP to UDP
09. Downloaded new config from userportal and added it to SSL VPN client installed in step 6
10. Connected VPN and went to https://fast.com for a speedtest. Result: 50 Mbit/s

There you have it folks. If anyone at sophos declares this as not reproducible, i can just shake my head and go back to UTM or another vendor. Maybe I'll keep doing your work and install a fresh UTM now to do the same test again, already knowing what is going to happen, because i used UTM for years with TCP SSL VPN.