Poor SSL VPN performance when using TCP

Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

Do you use Compression on SSLVPN? 

Did you try Sophos Connect 2.0 or the OpenVPN Client? 

Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

Likely caused by MTU Issues: https://forums.openvpn.net/viewtopic.php?t=25039

I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

So we would have to catch up on the 16 mbit/s difference to Prism 120 mbit/s. 

I found something, which could be the root cause, needs to be analysed for now. 

Hi,

i was linked to this thread.

I have several users with Windows 10 / 1909 and they use direct Access (HTTPS) to internal servers (no problem).

I formy self use Sophos VPN Client to connect to a XG 17.5.MR12 and i dont´have any perf. problems (not realy).

But

I have one user in Phoenix USA with high WAN latency (about 200ms average) with a performance drop to 355kbit/s.
He uses a Cable Modem with about 60-100MBit.

It doesn´t matter if he uses Sophos VPN or Microsoft Direct Access (always slow with 355kbit/s).
This is slow with SMB File Access.

The server are located in germany.

is there any change that the WAN latency could be a problem with TCP / UDP? 

atop:

NET | tun0 1578% | pcki 29337 | pcko 57619 | sp 10 Mbps | si 2428 Kbps | so 157 Mbps | | coll 0 | mlti 0 | erri 0 | erro 0 | drpi 0 | drpo 0

Looks better to me.

Could you please try following:

Within the config file: 

resolv-retry infinite
nobind
sndbuf 0
rcvbuf 0
persist-key

If this does not help after reimporting the config file, there is a second change needed on XG. I just want to know, if this Client config change helps or not. 

This is currently under investigation. 

I added the two parameters to my config file. Unfortunately it makes no difference at all, tried with the OpenVPN Client and the Sophos Connect 2.0 Client.

Edit:

I tested this now with android. I tested UDP, TCP and TCP edited with the parameters you mentioned. The results are roughly the same as with Windows:
TCP: 8-10 Mbit/s
UDP: 35-45 Mbit/s

hi LuCar Toni 

Tried with your 2 params and no difference at all, exacly 16Mbit/s using TCP.

(windows 10 / openssl / XGvirutal v18 MR1 hosted on gigabit link)

Thanks for the feedback.
Please give Sophos some time to review the test scenario and the different perspectives. 

As far as i know, Sophos has a RootCause of this issue and will look into fixing this in a upcoming release. 

I've just compared the OpenVPN Client logs from UTM and XG. Those are the differences i've found.

Why is XG only using TSL v1 while UTM is using TLS v1.2?

Where do i find these config file on the Windows 10 client PC?

I had a second user today (in Dortmund/Germany).
He uses WLAN and MS Direct access.

Due to latency his SMB downloads is about 355-800kbit/s.

I don´t think that this something that a VPN client could fix.

I read some threads about mtu size and tcp autoscaling with MS DA Servers on Hyper-V ...

I'd suggest you open your own thread, since this has nothing to do with this topic.

Thas right,

but even with Sopos VPN Client the error is the same.

I had a own thread and was directed here.

Thas right,

but even with Sopos VPN Client the error is the same.

I had a own thread and was directed here.

Hi,

I redirected you because your original post was about a VPN user, now you have changed to being W10 users in your office.

Ian

Just to update this thread. I would ask everybody with a valid Support Subscription to open a Case referring to this Thread, if he has this issue. 

Properly this will be resolved in the next bug fix version - So i will mark this Answer as a Answer. 

When I get back into the office on Monday, I'll pass over the details and the case that one of my clients had opened and we closed it because we found a work-around, and put it down to the OpenVPN client issues.

Like I say, we found that changing the connection method to SHA1 worked - in itself for them wasn't so much of a problem as they use encrypted traffic as per best practices throughout the network, and if Azure files can use SMB direct onto the internet, there is no reason why SMB files cannot be used with a weaker VPN as an extra layer.

I am not sure if it is still the case but I saw this when connecting two XG's together using Site to Site SSL VPN as well.  TCP performance was dreadful, UDP was near wirespeed.  

To follow up with what LuCar Toni mentioned,

For users that are experiencing issues with poor SSL VPN performance, please raise a support case and reference the following ID's:

• If on XG v17.5 - NC-59080

• If on XG v18.0 - NC-61102

Please share your support case number on this community thread as well.

Thanks,

hello FloSupport 

Case opened with ID #9964013

Same issue. Ticket opened. Case number is [#9969535]

Hi all,

Following the support ticket opened, Sophos cofnirmed me that this issue is presumed to be corrected on 18.0.2 and 17.5.14 ... which have no ETA for now.

I've just upgraded my XG to v18 MR-2, apparently this issue has been fixed. Just tested with both UDP and TCP and I'm getting same speeds on both protocols. (400Mbit/s).

Thanks!

Hi All,

Please note that SFOS v18 MR2 is a limited release that includes early access of an IPS engine version upgrade and other related changes.

Sophos will soon publish a broader release that includes additional fixes.

Regards,