Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 94 replies
  • Answers 1 answer
  • Subscribers 54 subscribers
  • Views 13462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 MR3 DPI slow download

Strandundmeer

Hi all,

after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly.

I am on a SG 230 hardware where the XG 18 MR3 is installed on.

Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection.

switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection.

switching back and forth between proxy and dpi I can always reproduce this.

this happens only to HTTPS sessions with DPI turned on.

The load on the FW is never higher than 20% while testing.

Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined...

I tried different DPI policies and nothing changed the behavior.

Thanks for your help

best



This thread was automatically locked due to age.
  • 0 in reply to Bill Roland

    are there any new ideas on this topic?

    I don't think that this is not happening to lot's of other people if this would be a bug?

  • 0 in reply to Strandundmeer

    I guess that it maight be a bug cuz ive got 1gbs/1gbs and i dont have such problem ;) My hardware is i5 (4core) 4gb Ram. And its working pretty good with all featured turned on. But i have to admit that overall performance regarding loading websites dropped down from last update -> to mr3. So there is defenetly something going on, in fact OpenVpn poor performance is still unresolved. ;)

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • 0 in reply to emmosophos

    Hi I would like to take this topic back to life.

    After updating to MR-4 I did some additional tests and realized that slow downloads just happen to my windows 10 clients.

    I tested this on 4 different Windows 10 Clients, all of them have a significant reduced download speed with DPI enabled.

    Using a MacBookPro with the same policy works without problems and utilizes my connection to the max!

    If I boot up linux instead of windows 10 I don't have this problem, too.

    I ended up reinstalling Windows 10, patched it to the latest version and just installed Firefox and Chrome + my Firewall CA Certificate to get DPI to work. Nothing else is installed but the speed drops even with no other software installed. Back to Linux on the same machine without chaning the policy and the speed is at max again.

    It would be great if we could find a solution for this because I don't think that I am the only one with this issue.

    Thanks

    Strandundmeer

  • 0 in reply to Strandundmeer

    Do you have any kind of Windows Endpoint Protection installed, which could eventually inspect this traffic? 

    I am not able to reproduce this at all. But it might be an issue with the Interfaces? Check all your XG Interfaces, if direct attached to the windows, if the TCP window handling causes this issue. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi ,

    thanks for your suggestions.

    My Problem is that this happens even to a fresh installed windows with no other apps exept Firefox installed.

    I don't belive that this is an interface issue: Booting Linux and it works like charme. Disabling DPI and switching to proxy mode everything is fine for all my windows machines.

    As this happens to all of my windows machines I am a little bit lost.

    Thanks for further ideas

  • 0 in reply to Strandundmeer

    Could you try to create a tcpdump and check the dumps, if you see any hints of retransmissions on XG? 

    Also do you have firewall acceleration active? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Good Morning ,

    sadly all dumps are looking good. I compared one with DPI on to one without DPI and the only difference I can see it the throughput.

    There are no retransmits, no icmps, nothing which would point to an error, also the TCP-MSS size is the same.

    Firewall accelaration is on and I do belive and know that my 230 Appliance should handle 100Mbit/s without issues.

    Meanwhile I did a failover to the 2nd 230 Appliance and the behavior is the same, but as I used the same backup, perhaps there is an issue.

    I did not change anything on the console except this one here: https://community.sophos.com/xg-firewall/f/recommended-reads/119051/sophos-xg-firewall-cyberoam-application-filter-recommended-settings-for-better-application-detection

    Thanks for your help.

  • 0 in reply to Strandundmeer

    Just one small thing to add:

    currently I have the feeling that there might be an issue with the tcp window scaling and that perhaps Windows handles this different from OSX or Linux.

    If I disable DPI and also disable window scaling on my windows client, I have exact the same slow speed as with DPI on and window scaling on....

    Where can I control this on the XG?

  • 0 in reply to Strandundmeer

    I'm also having the same issues.  Random slowdown of the internet across all Windows 10 machines with DPI enabled.  All started with v18 MR3 I believe.  If I switch back to proxy, all seems to be well.  Don't see any errors. Really strange!

  • 0 in reply to Strandundmeer

    I turned it off.  Made my life much better.  

Unfiltered HTML