Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 38 subscribers
  • Views 1521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow SSL VPN

MOl

Hello,

I have two xg 210 in A/P HA (18mr4) and two branch offices with red60

LocalityA - 2x xg210 HA (ISP 100/100Mbps) FileserverA

      - utilization is about 50% during working hours and 10% out of working hours  

LocalityB - RED60 (ISP 100/100Mbps) FileserverB

     - utilization is about 10% during all day

LocalityC - RED60 (ISP 100/100Mbps) FileserverC

     - utilization is about 10% during all day

We have problem with slow SMB download/upload only  VPN<>FileserverC (0,5-1Mbps)

We try to SMB down/up: 

     FileserverA<>FileserverC = OK (~80Mbps)

     FileserverA<>FileserverB = OK (~80Mbps)

     FileserverB<>FileserverC = OK (~80Mbps)

     VPN<>FileserverB = OK (30-40Mbps)

     VPN<>FileserverA = OK (30-40Mbps)

We try everything what we can find on internet:

Change VPN config TCP<>UDP

disable/enable Compress SSL VPN traffic

disable/enable Tunel compresion for RED

DoS bypass rule for VPN subnet and LocalityC subnet

Change QoS "network traffic" for user group from none to "max network traffic"

MTU on wan port

MTU in clients VPN config file

system firewall-acceleration disable

no IPS / application control in vpn FW rule

We've tried various combinations, but nothing helped. 

Any Idea?

Thank you. MOl



This thread was automatically locked due to age.
Parents
  • 0

    Please check CPU utilization on your REDs. SSH to device, go to shell and run top command. Run transfers or any other speed test and observe CPU utilization. Sophos uses ancient version of openvpn (2.3.6) which is 7 years old and it is based on openwrt. Openvpn is single threaded, this ancient version uses also old data chiphers so it is processor hungry and CPU on REDs can be the problem. I am running software appliance on intel core i3 1.6 GHz PC, and with openvpn 2.3.6 from Sophos, I can get 35 mbit max on VPN with almost 100% CPU utilization. I created own portable version of openvpn 2.4.10 based on Centos distribition 64 bit, uploaded it to sophos XG and created VPV link manually from command line, and with this config I can get 100 mbit, which is max of my link, with 45% CPU utilization. 

Reply
  • 0

    Please check CPU utilization on your REDs. SSH to device, go to shell and run top command. Run transfers or any other speed test and observe CPU utilization. Sophos uses ancient version of openvpn (2.3.6) which is 7 years old and it is based on openwrt. Openvpn is single threaded, this ancient version uses also old data chiphers so it is processor hungry and CPU on REDs can be the problem. I am running software appliance on intel core i3 1.6 GHz PC, and with openvpn 2.3.6 from Sophos, I can get 35 mbit max on VPN with almost 100% CPU utilization. I created own portable version of openvpn 2.4.10 based on Centos distribition 64 bit, uploaded it to sophos XG and created VPV link manually from command line, and with this config I can get 100 mbit, which is max of my link, with 45% CPU utilization. 

Children
  • 0 in reply to AdamMickiewicz

    Hello, I am triing to acces RED by SSH from LAN behind RED. (SSH to my gw IP). SSH is ok but it looks like i am getting output from central fw.

    Because if i run TOP i can see SSLVPN process (10% CPU during copy) or if i want to see firmware i show me SFOS 18mr4

Unfiltered HTML