Poor SSL VPN performance when using TCP

Hey Tim,

i can assure you that this is not related to TCP per se, but to XG in particular. UTM (SG firewall) does not have performance problems with TCP SSL VPN. I get my full 53 MBit/s with TCP, while UDP is fluctuating around 45-53 Mbit/s. Taking that into account, TCP is even a bit more stable than UDP on UTM. Since i didn't alter the MTU size on neither XG, nor UTM (it's 1500 on both by default), i can rule out an MTU issue. If this was really a problem, UTM should show the same bad TCP SSL VPN performance as XG, which it clearly isn't.

Hello Dreamcatcher 

I have sent you a PM. 

Regards,

Could we try to get at least some related information.

As you can reproduce this on multiple appliances, i am curious, how those appliances could be related.

Maybe something like "all appliances are sitting behind another router from provider X", "All Appliances are installed with a ISO from Firmware X". 

Hello,

these appliances belong to different customers, so they have nothing in common but being XG firewalls. I thought this would be clear as i wrote that i tested them with different internet connections. The XG210 is sitting behind another router that is configured to pass all traffic to it, the others are connected directly, thus holding the WAN IP too. They have been installed on different times, with different images, but now sharing roughly the same version with 18.0 GA-Build379 being the oldest one, since i am keeping all appliances up-to-date. The XG210 i gave you access to was installed on 11th march this year with the then up-to-date image. The XG125 was installed years ago and my virtual applicance was just installed to test this, so just some days ago. Theoretically i have much more XG firewalls to test, but those are not connected to internet connections fast enough.

More interestingly: Did you try to reproduce this? I really can't imagine that this is was not reproducable at all.

I did another test with a fresh installed virtual XG. I used the latest software .iso from here: https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-mr1-build396
It is connected to my home connection (1000 Mbit/s Down, 53 Mbit/s Up) and holds my public WAN IP. No other routers are involved. I even didn't register or activate it.

Everything i configured was the following:

01. Configured default CA (for obvious reasons)
02. Created a firewall rule to allow all traffic from VPN zone to ANY
03. Created a SSL VPN remote access profile for use as Default Gateway
04. Created a testuser
05. Added testuser to group "Open Group" and selected the remote access profile created in step 3
06. Downloaded SSL VPN Client from Userportal and installed it on a machine hosted in a remote site
07. Connected VPN and went to https://fast.com for a speedtest. Result: 14 Mbit/s
08. Changed default SSL Settingsfrom TCP to UDP
09. Downloaded new config from userportal and added it to SSL VPN client installed in step 6
10. Connected VPN and went to https://fast.com for a speedtest. Result: 50 Mbit/s

There you have it folks. If anyone at sophos declares this as not reproducible, i can just shake my head and go back to UTM or another vendor. Maybe I'll keep doing your work and install a fresh UTM now to do the same test again, already knowing what is going to happen, because i used UTM for years with TCP SSL VPN.

This is 100% reproducible, I've just tested myself with 400/200 WAN connection, with TCP I can't go above 25Mbit/s while a single core of my XG spikes to 100%, and on UDP I can reach the full 200Mbit/s.

This has been happening since v17.5, I hope It's fixed soon.

I did another test with the VPN Client downloaded from a UTM appliance, but with the config from my test XG. Same results. I guess they are both the same anyway. I also did a test with the official OpenVPN beta client (openvpn-connect-3.1.3.713_signed). Same results, so this is not related to client software at all. My UTM reaches the full 53 Mbit/s with all clients i tested on TCP SSL VPN connections.

SFVH_SO01_SFOS 18.0.1 MR-1-Build396# openvpn --version
OpenVPN 2.3.6 i486-openwrt-linux-gnu

 

Jesus Christ, can any Developer at Sophos at least update OpenVPN for a more recent version? Seriously, 2.3.6 came in DECEMBER/2014, It didn't even had support for AES-GCM.

My link speed is 50/20.

I ran the test on my iPad which uses the http proxy without decrypt and scan and it returns 8mb/s where as if I use speedof.me I get 20mb/s

When I use the site in the thread on my mac mini I get 50mb/s and when I rune speedof.me I also get 50mb/s and speediest.net (TCP 8080) I get 49-50 mb/s.

I don't have a remote site to setup a VPN to run further tests.

So, that leaves the VPN software as a likely suspect.

Ian

Hi folks,

i can totally confirm the 16Mb/s limit with vpn ssl TCP, tried remotely from two gibabit fiber equiped sites...