Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 94 replies
  • Answers 1 answer
  • Subscribers 54 subscribers
  • Views 13458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 MR3 DPI slow download

Strandundmeer

Hi all,

after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly.

I am on a SG 230 hardware where the XG 18 MR3 is installed on.

Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection.

switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection.

switching back and forth between proxy and dpi I can always reproduce this.

this happens only to HTTPS sessions with DPI turned on.

The load on the FW is never higher than 20% while testing.

Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined...

I tried different DPI policies and nothing changed the behavior.

Thanks for your help

best



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Hi ,

    thanks for the ideas.

    I tested different setups and unlike Wireguard for my system it does not matter if I turn DPI off and on again. As long as it is enabled and the policy is active for the source the speed drops to roughly 25%.

    I did the following tests today all with Firefox from the same server to download from:

    • Proxy with SSLi enabled, IPS Policy active, AV Scan for HTTPS active: Download 12MByte/s which is roughly 100mbit/s and the max of my internet connection.
    • Proxy disabled so that DPI gets enabled, IPS Policy active, AV Scan active, Download 2,8MBytes/s <=> 22mbit/s
    • Proxy disabled so that DPI gets enabled, IPS Policy non, AV Scan off, Download 2,8MByte/s <=> 22mbit/s
    • Everything in the firewall rule diabled, DPI via rule enabled 22mbit
    • No difference if I turn HTTPS during proxy filtering on or off.

    There is nothing in the ips.log during this session and the speed degrade also happens with IPS disabled. The firewall is far away from beeing heavy loaded...

    Thanks for your help

  • 0 in reply to Strandundmeer

    Hi, here my settings. i get no issues, except the described above

    Firewall

    NAT

    DPI

    Maybe try this one, and give us feedback. 

    Here my internet connection

    DPI ON

    DPI OFF

  • 0 in reply to Wireguard

    Hi ,

    I think that our settings are equal except the fact that I don't have NAT in place.

    As I already mentioned I tested lots of different configuration / policy settings with the same result. enabling DPI instead of the webproxy with SSLi my speed drops down to 20-25% of the result I get with the proxy enabled.

    Turning app control and IPS off doesn't change anything.

    This seems to be the same for all browsers and downloading files BUT using a speed test like https://librespeed.org/

    I do get full speed even with DPI enabled.

    From my point of view it seems that DPI is doing something to the download in a way that the bandwidth can not be utilized.

    The system load is low even with DPI enabled and the decryption capacity shown in the dash is <1% so there should be no issues.

    what hardware are you using? perhaps there is something we have in common?

    I have upgraded my Appliances serveral times from eary 17ish versions, perhaps there is an issue?

    best

  • 0 in reply to Strandundmeer

    No, unfortunately not.. My xg is a virtual appliance. Fresh install from scratch with v18 mr3. I think a sophos technician have to clear up this behavior

  • 0 in reply to Wireguard

    ok thanks, I have another 230 Appliance which acts as a cold standby and I thought about doing a fresh install, but as this happens to your virtual appliance, too it would not add any benifit.

    Thanks

  • 0 in reply to Strandundmeer

    A point of interest my XG reports that as trying to setup tor connections. The speed test runs on my iPad and Mac mini. Both use the default ssl/tls firewall rule. No decrypt and scan function.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to emmosophos

    Hi I would like to take this topic back to life.

    After updating to MR-4 I did some additional tests and realized that slow downloads just happen to my windows 10 clients.

    I tested this on 4 different Windows 10 Clients, all of them have a significant reduced download speed with DPI enabled.

    Using a MacBookPro with the same policy works without problems and utilizes my connection to the max!

    If I boot up linux instead of windows 10 I don't have this problem, too.

    I ended up reinstalling Windows 10, patched it to the latest version and just installed Firefox and Chrome + my Firewall CA Certificate to get DPI to work. Nothing else is installed but the speed drops even with no other software installed. Back to Linux on the same machine without chaning the policy and the speed is at max again.

    It would be great if we could find a solution for this because I don't think that I am the only one with this issue.

    Thanks

    Strandundmeer

  • 0 in reply to Strandundmeer

    Do you have any kind of Windows Endpoint Protection installed, which could eventually inspect this traffic? 

    I am not able to reproduce this at all. But it might be an issue with the Interfaces? Check all your XG Interfaces, if direct attached to the windows, if the TCP window handling causes this issue. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi ,

    thanks for your suggestions.

    My Problem is that this happens even to a fresh installed windows with no other apps exept Firefox installed.

    I don't belive that this is an interface issue: Booting Linux and it works like charme. Disabling DPI and switching to proxy mode everything is fine for all my windows machines.

    As this happens to all of my windows machines I am a little bit lost.

    Thanks for further ideas

  • 0 in reply to Strandundmeer

    Could you try to create a tcpdump and check the dumps, if you see any hints of retransmissions on XG? 

    Also do you have firewall acceleration active? 

    __________________________________________________________________________________________________________________

Unfiltered HTML