Currently my team is reporting slow download and upload speeds far under our ISP internet plan. I've been trying to diagnose it, but everything I try doesn't seem to have any positive or negative affect.
Here are my current settings. I wasn't sure what I should black out, so I kinda went crazy...which hopefully doesn't hinder someones ability to help.
Beyond these SSL VPN settings, is there anything else I can setup to get the full ISP bandwidth for my users?
What is your current throughput, how do you measure it and what do you expect to have?
Currently we have a 75Mbps symmetrical fibre internet connection. But users are only seeing half that (on a good day) or in many cases 1/4th that. I've tested with only me logged into the VPN and the issue is the same, so it doesn't seem to be an issue with to many users logged on at one given time. As far as measuring it, I measure it by trying to download data off our file server behind the same network and Sophos firewall.
Are your tests wired or via WiFi?
Have you narrowed it down to VPN? E.g. you get full download speeds from the same server to a machine inside the firewall? Do you have the ability to test speeds from outside of the firewall but not with VPN? How are those speeds, and what kind of packet loss or jitter are you seeing, if any?
Has something changed? I.e. was it working at expected speeds in the past, but then something changed in the firewall (new SFOS), the clients (new OS, new VPN client), or elsewhere?
My tests are both over WiFi and a Wired connection.
I have narrowed it down to VPN. When I try using the internet connection natively (so not over a VPN connection) it works as expected. I've ran a speedtest and got 90Mbps down and 89Mbps up on a symmetrical fibre connection of 75Mbps. SO actually better than what I'm paying for. Ping was 3ms, and I'm not seeing any packet loss.
Nothing has changed as far as settings or what not. I mean I do the Sophos XG OS updates when I need to and all of that, but it's always been like this. It's just now I'm getting around to fixing it...lol. But It's always been like this, no SFOS or other update has made it better or worse that I can tell.
I don't know VPN well enough to help beyond this. Sounds like you truly have narrowed it down to VPN.
Do you have any DOS settings? I saw a posting where someone had DOS enabled and exempting the VPN range made a big improvement.
Are you using Sophos Connect? How old are the configs?
There are some improvements of the throughput in V18.5 MR2 as well.
What you can check as well: Get a PSCP (SCP tool) and download something big from the firewall directly (not a server).
Check first via df -h the space
XGS136_XN01_SFOS 19.0.0 EAP1-Build244# df -hFilesystem Size Used Available Use% Mounted onnone 613.9M 1.6M 567.6M 0% /none 3.9G 36.0K 3.9G 0% /devnone 3.9G 19.9M 3.9G 1% /tmpnone 3.9G 14.7M 3.9G 0% /dev/shm/dev/boot 127.7M 33.2M 91.8M 27% /boot/dev/mapper/mountconf 560.3M 72.4M 483.9M 13% /conf/dev/content 5.6G 644.8M 5.0G 11% /content/dev/var 41.3G 15.3G 25.9G 37% /var
Check for /tmp/
Then upload a file via SCP to the firewall /tmp/
Check the throughput. Then download the same file from the /tmp/.
If this test is acceptable, it could be an issue in the network after the firewall.
Most users are still on the older Sophos VPN client, but I did recently get everyone to update their VPN config files like a week or 2 ago now. Users on mobile use OpenVPN on both iOS and Android, and they too had to update the config for that.I'm running the latest SFOS.
As far as the test you recommended I try. Sorry to sound like a novice, but how exactly am I to run that? Do I need to connect to the Firewall via command line? I just want to make sure I understand so I can give that a shot, as it is a good thing to try.
SCP is a protocol. You can access via SCP the firewall /tmp/ directory and up/download data.
https://support.sophos.com/support/s/article/KB-000037007?language=en_US For example.
So you can upload a data to the firewall and also download it. It would show if this is a acceptable speed and indicate a openVPN problem or a issue with your network / resources behind the firewall.
In particular, SCP uses the credentials that you've set up for SSH access. to your firewall. So if you do have SSH credentials set up, SCP will magically work. If not, you'll need to set them up. And allow (perhaps only temporarily) SSH access from WAN if you're testing from outside of the firewall.
I read the link you sent and attempted to SSH into my firewall and run the packet capture. It seemed to do something, but honestly I'm still a little bit confused and don't think I really got anything out of it...which is probably my fault. Is there anything else I can try? Maybe I need to make an exception rule or something to allow a better data pass through via VPN? Maybe I should just call Sophos support and let them figure it out... lol
You checked that you are not using Denial of Service (DOS) settings that might affect the VPN? This is designed to limit fast traffic and is quite tricky to use.