Sophos XG VPN performance

Question

Good day all. 
 
 A good portion of our company is currently deployed via VPN, which means we have about 20~ish connections consistently on any given day. 
 Our setup: 
 2 Sophos XG firewalls setup in HA state. Our bandwidth is 100/100 with a secondary 100/100 connection. The VPN agents were setup in a TCP protocol with compression selected. We believe the SSL VPN was setup in split tunnel. 
 Agent logins are tied to our internal AD, so when an agent is deployed or needs to be redeployed, we have to login as each person, and download the new configuration and/or client. 
 The issue: 
 We've been receiving complaints about the throughput when people are connecting to the VPN. 
 Another colleague and I started testing, and we believe the Sophos is causing a problem. 
 Test scenario: 
 Using SSMS, connect to a cloud database to run a script that will return 20,000 rows. 
 Tests: 
 When directly connected to the database (no VPN): Return time is about 1 second. 
 When directly connected to the database on a computer inside of our network (no vpn): Return time is about 1 second. 
 When connected to the vpn and running the same query: Return time varies between 45 seconds to 3 minutes. 
 
 Our vendor has suggested that we need to change the vpn connection over to UDP, but there is concern that the fault tolerance related to TCP would be lost and may cause more problems than what we currently have with TCP in place. 
 The additional issue of having to redeploy the agents to each person individually is a cause for concern as well as everyone would be unable to connect if we did switch over to UDP until the new client is deployed to each person. 
 
 So: 
 Based on this configuration, how likely would it be that converting everyone over to UDP would alleviate the performance problems? 
 If we choose to mass re-deploy the agents, are there any suggestions on best practices in doing this with remote people? 
 Our vendor noted that we may be able to "hack" the configuration on each persons pc, by changing the following in the .ovpn file: 
 "proto tcp " 
 to 
 "proto udp" 
 save the changes and it will convert everything over to UDP without the need to redeploy everyone. Is this a viable option? 
 
 Thanks in advance for any assistance.

LuCar Toni · Accepted Answer

You should consider to upgrade to V18.0 MR4. Sophos invested some time to increase the Throughput of VPN drastically in V18.

LuCar Toni · Answer

Takeover will result in a VPN reconnect, as the SAs etc. are not synced on the appliances. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/haStartupGuide/concepts/HAOperation.html 
 Sophos Connect 2.0 is able to sync the new config for you. So moving to Sophos Connect seems to me a smart move in the first place. You can roll out the universal config file to all users, they will fetch their OpenVPN Config. It will also provide the flexibility to move configration changes all the time.

Sophos XG VPN performance

Top Replies