Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 53 subscribers
  • Views 53590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
Parents
  • 0

    Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

    Do you use Compression on SSLVPN? 

    Did you try Sophos Connect 2.0 or the OpenVPN Client? 

    Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

    Likely caused by MTU Issues: https://forums.openvpn.net/viewtopic.php?t=25039

     

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

  • 0 in reply to Prism

    I did another test with the VPN Client downloaded from a UTM appliance, but with the config from my test XG. Same results. I guess they are both the same anyway. I also did a test with the official OpenVPN beta client (openvpn-connect-3.1.3.713_signed). Same results, so this is not related to client software at all. My UTM reaches the full 53 Mbit/s with all clients i tested on TCP SSL VPN connections.

  • 0 in reply to Dreamcatcher

    SFVH_SO01_SFOS 18.0.1 MR-1-Build396# openvpn --version
    OpenVPN 2.3.6 i486-openwrt-linux-gnu

     

    Jesus Christ, can any Developer at Sophos at least update OpenVPN for a more recent version? Seriously, 2.3.6 came in DECEMBER/2014, It didn't even had support for AES-GCM.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 MR1 @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • 0 in reply to Prism

    My link speed is 50/20.

    I ran the test on my iPad which uses the http proxy without decrypt and scan and it returns 8mb/s where as if I use speedof.me I get 20mb/s

    When I use the site in the thread on my mac mini I get 50mb/s and when I rune speedof.me I also get 50mb/s and speediest.net (TCP 8080) I get 49-50 mb/s.

    I don't have a remote site to setup a VPN to run further tests.

    So, that leaves the VPN software as a likely suspect.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi folks,

    i can totally confirm the 16Mb/s limit with vpn ssl TCP, tried remotely from two gibabit fiber equiped sites...

  • 0 in reply to rfcat_vk

    OpenVPN Software is not the cause of this problem, since it is running fine with other appliances, even with Sophos own SG Firewall, which is running UTM by default. It is clearly XG Firmware related.

  • 0 in reply to guillaume bottollier

    I am still looking into this in my personal time, because i am curious what is going on. 

    As i am able to reproduce this limitation for one client, it seems like this limitation is not shared with multiple connections at the same time. 
    So i can actually connect multiple TCP based SSLVPN Clients from different locations and get a high performance output. 

     

    NET | tun0 1132% | pcki 4025 | pcko 10334 | sp 10 Mbps | si 1509 Kbps | so 113 Mbps | | coll 0 | mlti 0 | erri 0 | erro 0 | drpi 0 | drpo 0

     

     

    Just one output of a XG, which sends 113 mbit/s through TCP SSLVPN. 

    There were multiple clients connected to this XG. 

     

     

    As you already created a Support Case ID, i would expect to follow up with the Support as for now. 

     

     

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    this can not be a coincidence that all of us experience the exact same limitations at precisely 16Mb with so many differences of situations and configurations 

  • 0 in reply to guillaume bottollier

    I can confirm, its the same here on my XG115w

    Just around 11MBit/5MBit (with TCP & compression) on a 5GBit/5GBit line.

  • 0 in reply to Xenoflex

    I am curious, which Clients you are using? 

    Windows Only or did you try different OS systems? 

    MacOS, Linux, iOS, Android?

     

    Because i could observe far better results on a Linux (Openvpn) based system. 

    Same configuration file -  Same Download. 

     

     

    Lets not forget how this works: 

    OpenVPN is getting a config file (OVPN). In this file there are general configuration settings to connect to the OpenVPN Server.

    The openVPN Server (XG/SG) will push other information after the configuration is established. The reason, you do not have to regenerate and publish the config file every time, there is a change in the config on server end. (For Example new route or something like that). 

     

     

     

     

     

     

    And please, everybody here with a valid Sophos Support Subscription - Open a Case. 

    This needs to be tracked. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    With a markeshare of nearly 90% Windows is the platform to use of course. Which End User is using Linux at all?! Maybe test something relevant.

Reply Children
No Data
Unfiltered HTML