Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 39 subscribers
  • Views 9095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN poor performance with Office files on SMB shares, probably because of MTU issues

LHerzog

Hi,

some users are complaining very bad SMB performance when using SSL VPN (TCP) to our XG 18 MR4.

Our diagnosis so far is, that DS-Lite Internet users are affected by the bad performance only. Like Unitymedia / Vodafone Cable.

Users with DSL lines like Telekom without IP-Sharing ot NAT, are not affected.

Location: Germany

The issue can be noticed when opening a 10 kb MS Office file from an SMB share in the tunnel takes about 30-40 sec to open on DS-Lite, <5 sec on non-DS-Lite.

Opening a 1MB Text file from the same SMB share takes 10 sec on DS-Lite, ~5 Sec on non-DS-Lite.

Strange fact: downloading a large file from the same SMB share is almost the same on DS-Lite and non-DS-Lite.

What I can see in wireshark, is that the MTU is smaller on the DS-Lite side than on our XG firewall. The firewall uses 1500, the VPN client uses 1392.

When opening one file from a SMB folder, all other files are also touched by the client and it looks like, they are fully transferred.

This is what downloading a 500 MB iso-file from the tunnel SMB share to the local machine looks like on DS-Lite. Performance is really OK. Nothing to complain about:



This thread was automatically locked due to age.
  • 0 in reply to PhilippRusch

    I ask myself how this would affect traffic when the client already uses a lower MTU than the router on it's LAN interface. But I'll see if I can change that. FritzBox usually does not support it.

    I will give the OVPN client a try.

  • 0 in reply to LHerzog

    I had also such problems, but after i did upgrade to mr4 all problems just solved. ^^  now i hope that sophos is doint sth with Logging section cuz this needs to be improved  a lot^^

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • 0 in reply to Regex

    I tried several Open VPN clients and with all (TAP and Win Tunnel beta drivers) I had issues with DNS.

    I did not get IPv4 DNS Servers from DHCP in the tunnel. Instead ipconfig showed this DNS config:

    DNS-Server . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1

    I have now Sophos Connect Client installed but the issue with the slow Office file open still persists.

    Also playing with the MTU size only on client side did not improve the performance.

    Searching for this issue in particular with MS Office shows hundreds of posts everywhere. I have not found any with a solution. Even I cannot imagine all those users are using DS-Lite and VPN, this is the only difference in our company between the VPN users with and without this performance issue.

Unfiltered HTML