Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Hello folks,


i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.


Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?

This thread was automatically locked due to age.
  • Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

    Do you use Compression on SSLVPN? 

    Did you try Sophos Connect 2.0 or the OpenVPN Client? 

    Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

    Likely caused by MTU Issues:




  • I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

  •  /  Could we take a look into this? 


  • Hi  

    Thanks for sharing your case number and providing additional information.

    I'll have someone from the Community team help take a look and follow up with you.

    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • We also have this issue at our office. SSL VPN over TCP is DOG SLOW. We're using an XG 210 as our edge device. I did a late night test a couple times switching the config to UDP, and there's no contest. SSL VPN over UDP performance absolutely smokes SSL VPN with a TCP tunnel. Using TCP we're also limited to about 2Mbits throughput right now. I just thought it was a limitation of a TCP tunnel.

    I'm in the process of setting up all our people using Sophos Connect with IPSec so I can change the SSL VPN config to a UDP tunnel and then slowly migrate everyone back. If the TCP performance could be fixed in an update, that would be so much nicer.



  • Hey Tim,

    i can assure you that this is not related to TCP per se, but to XG in particular. UTM (SG firewall) does not have performance problems with TCP SSL VPN. I get my full 53 MBit/s with TCP, while UDP is fluctuating around 45-53 Mbit/s. Taking that into account, TCP is even a bit more stable than UDP on UTM. Since i didn't alter the MTU size on neither XG, nor UTM (it's 1500 on both by default), i can rule out an MTU issue. If this was really a problem, UTM should show the same bad TCP SSL VPN performance as XG, which it clearly isn't.

  • Could we try to get at least some related information.

    As you can reproduce this on multiple appliances, i am curious, how those appliances could be related.

    Maybe something like "all appliances are sitting behind another router from provider X", "All Appliances are installed with a ISO from Firmware X". 



  • Hello,

    these appliances belong to different customers, so they have nothing in common but being XG firewalls. I thought this would be clear as i wrote that i tested them with different internet connections. The XG210 is sitting behind another router that is configured to pass all traffic to it, the others are connected directly, thus holding the WAN IP too. They have been installed on different times, with different images, but now sharing roughly the same version with 18.0 GA-Build379 being the oldest one, since i am keeping all appliances up-to-date. The XG210 i gave you access to was installed on 11th march this year with the then up-to-date image. The XG125 was installed years ago and my virtual applicance was just installed to test this, so just some days ago. Theoretically i have much more XG firewalls to test, but those are not connected to internet connections fast enough.

    More interestingly: Did you try to reproduce this? I really can't imagine that this is was not reproducable at all.

  • I did another test with a fresh installed virtual XG. I used the latest software .iso from here:
    It is connected to my home connection (1000 Mbit/s Down, 53 Mbit/s Up) and holds my public WAN IP. No other routers are involved. I even didn't register or activate it.

    Everything i configured was the following:

    01. Configured default CA (for obvious reasons)
    02. Created a firewall rule to allow all traffic from VPN zone to ANY
    03. Created a SSL VPN remote access profile for use as Default Gateway
    04. Created a testuser
    05. Added testuser to group "Open Group" and selected the remote access profile created in step 3
    06. Downloaded SSL VPN Client from Userportal and installed it on a machine hosted in a remote site
    07. Connected VPN and went to for a speedtest. Result: 14 Mbit/s
    08. Changed default SSL Settingsfrom TCP to UDP
    09. Downloaded new config from userportal and added it to SSL VPN client installed in step 6
    10. Connected VPN and went to for a speedtest. Result: 50 Mbit/s

    There you have it folks. If anyone at sophos declares this as not reproducible, i can just shake my head and go back to UTM or another vendor. Maybe I'll keep doing your work and install a fresh UTM now to do the same test again, already knowing what is going to happen, because i used UTM for years with TCP SSL VPN.

  • This is 100% reproducible, I've just tested myself with 400/200 WAN connection, with TCP I can't go above 25Mbit/s while a single core of my XG spikes to 100%, and on UDP I can reach the full 200Mbit/s.

    This has been happening since v17.5, I hope It's fixed soon.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 MR1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • I did another test with the VPN Client downloaded from a UTM appliance, but with the config from my test XG. Same results. I guess they are both the same anyway. I also did a test with the official OpenVPN beta client (openvpn-connect- Same results, so this is not related to client software at all. My UTM reaches the full 53 Mbit/s with all clients i tested on TCP SSL VPN connections.

  • SFVH_SO01_SFOS 18.0.1 MR-1-Build396# openvpn --version
    OpenVPN 2.3.6 i486-openwrt-linux-gnu


    Jesus Christ, can any Developer at Sophos at least update OpenVPN for a more recent version? Seriously, 2.3.6 came in DECEMBER/2014, It didn't even had support for AES-GCM.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 MR1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • SFVH_SO01_SFOS 18.0.1 MR-1-Build396# openvpn --version
    OpenVPN 2.3.6 i486-openwrt-linux-gnu


    Jesus Christ, can any Developer at Sophos at least update OpenVPN for a more recent version? Seriously, 2.3.6 came in DECEMBER/2014, It didn't even had support for AES-GCM.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 MR1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

No Data