This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN (remote access) slow speeds

Hello folks.

Currently my team is reporting slow download and upload speeds far under our ISP internet plan. I've been trying to diagnose it, but everything I try doesn't seem to have any positive or negative affect.

Here are my current settings. I wasn't sure what I should black out, so I kinda went crazy...which hopefully doesn't hinder someones ability to help.

Beyond these SSL VPN settings, is there anything else I can setup to get the full ISP bandwidth for my users?



This thread was automatically locked due to age.
Parents
  • What is your current throughput, how do you measure it and what do you expect to have? 

    __________________________________________________________________________________________________________________

  • Currently we have a 75Mbps symmetrical fibre internet connection. But users are only seeing half that (on a good day) or in many cases 1/4th that. I've tested with only me logged into the VPN and the issue is the same, so it doesn't seem to be an issue with to many users logged on at one given time.

    As far as measuring it, I measure it by trying to download data off our file server behind the same network and Sophos firewall.

  • Are your tests wired or via WiFi?

    Have you narrowed it down to VPN? E.g. you get full download speeds from the same server to a machine  inside the firewall? Do you have the ability to test speeds from outside of the firewall but not with VPN? How are those speeds, and what kind of packet loss or jitter are you seeing, if any?

    Has something changed? I.e. was it working at expected speeds in the past, but then something changed in the firewall (new SFOS), the clients (new OS, new VPN client), or elsewhere?

  • My tests are both over WiFi and a Wired connection.


    I have narrowed it down to VPN. When I try using the internet connection natively (so not over a VPN connection) it works as expected. I've ran a speedtest and got 90Mbps down and 89Mbps up on a symmetrical fibre connection of 75Mbps. SO actually better than what I'm paying for. Ping was 3ms, and I'm not seeing any packet loss.

    Nothing has changed as far as settings or what not. I mean I do the Sophos XG OS updates when I need to and all of that, but it's always been like this. It's just now I'm getting around to fixing it...lol. But It's always been like this, no SFOS or other update has made it better or worse that I can tell.

  • I don't know VPN well enough to help beyond this. Sounds like you truly have narrowed it down to VPN.

    Do you have any DOS settings? I saw a posting where someone had DOS enabled and exempting the VPN range made a big improvement.

Reply Children
  • Are you using Sophos Connect? How old are the configs? 

    There are some improvements of the throughput in V18.5 MR2 as well. 

    What you can check as well: Get a PSCP (SCP tool) and download something big from the firewall directly (not a server). 

    Check first via df -h the space 

    XGS136_XN01_SFOS 19.0.0 EAP1-Build244# df -h
    Filesystem Size Used Available Use% Mounted on
    none 613.9M 1.6M 567.6M 0% /
    none 3.9G 36.0K 3.9G 0% /dev
    none 3.9G 19.9M 3.9G 1% /tmp
    none 3.9G 14.7M 3.9G 0% /dev/shm
    /dev/boot 127.7M 33.2M 91.8M 27% /boot
    /dev/mapper/mountconf
    560.3M 72.4M 483.9M 13% /conf
    /dev/content 5.6G 644.8M 5.0G 11% /content
    /dev/var 41.3G 15.3G 25.9G 37% /var

    Check for /tmp/ 

    Then upload a file via SCP to the firewall /tmp/ 

    Check the throughput. Then download the same file from the /tmp/.

    If this test is acceptable, it could be an issue in the network after the firewall. 

    __________________________________________________________________________________________________________________

  • Most users are still on the older Sophos VPN client, but I did recently get everyone to update their VPN config files like a week or 2 ago now. Users on mobile use OpenVPN on both iOS and Android, and they too had to update the config for that.

    I'm running the latest SFOS.

    As far as the test you recommended I try. Sorry to sound like a novice, but how exactly am I to run that? Do I need to connect to the Firewall via command line? I just want to make sure I understand so I can give that a shot, as it is a good thing to try.

  • SCP is a protocol. You can access via SCP the firewall /tmp/ directory and up/download data. 

    https://support.sophos.com/support/s/article/KB-000037007?language=en_US For example. 

    So you can upload a data to the firewall and also download it. It would show if this is a acceptable speed and indicate a openVPN problem or a issue with your network / resources behind the firewall. 

    __________________________________________________________________________________________________________________

  • In particular, SCP uses the credentials that you've set up for SSH access. to your firewall. So if you do have SSH credentials set up, SCP will magically work. If not, you'll need to set them up. And allow (perhaps only temporarily) SSH access from WAN if you're testing from outside of the firewall.

  • I read the link you sent and attempted to SSH into my firewall and run the packet capture. It seemed to do something, but honestly I'm still a little bit confused and don't think I really got anything out of it...which is probably my fault. Is there anything else I can try? Maybe I need to make an exception rule or something to allow a better data pass through via VPN? Maybe I should just call Sophos support and let them figure it out... lol

  • You checked that you are not using Denial of Service (DOS) settings that might affect the VPN? This is designed to limit fast traffic and is quite tricky to use.

  • I checked my DoS settings and it seems like all of them are off?  

  • Agreed, it looks like DOS isn't the problem. Just wanted to confirm, since you hadn't specifically mentioned having checked it.

    I'm not sure which SSH comment you were referring to. Just wanted to make sure that my comment was only that in order for SCP to work -- i.e. for you to copy files directly to/from your firewall to test true network speeds, you need to have SSH set up, which it sounds like you do.

    If I understand your testing, you've been inside the firewall and from your machine used Speed Test (or something like that) and you get the expected upload/download speeds to an external server. But if you are outside of the firewall and use the VPN and download files from one of your servers inside the firewall, you get slow speeds. Presumably, when your users report slow VPN speeds, they are doing something similar: from outside the firewall they're accessing resources inside the firewall.

    Is it possible to run a speed test equivalent (say a wget or curl) from the server you tested your VPN with, connecting to something outside of your firewall? I.e. try to eliminate internal (non-VPN) traffic problems to/from that server from the outside world. It's possible that you've got internal issues that are really only seen by external machines and the only time you access internal machines externally is via VPN.

    Also, what VPN client are you using? I use OpenVPN and you can click on the icon in the upper right to view the logs. Are there any weird things happening in the logs?

    This shouldn't make a difference, but have you tried TCP? Your original screen capture shows you're using UDP. As it says, UDP could be faster, but it seems to me if you try TCP temporarily and it makes a difference that's a major clue as to what might be wrong. If you try it and nothing different happens, oh well.

    Also, have you tried the Enable Debug Mode (bottom of your original screen capture) checkbox to see if you get any extra information?

  • Thanks for the long response Wayne! I'll try to answer your questions as best as I can Slight smile

    SSH is setup on our firewall, and I'm able to log into it. I run macOS so I use Terminal for SSH. I tried the SCP thing but got confused. I don't understand how I'm supposed to download a file to the actual firewall. It's very confusing to me (networking isn't my strong suite...if that isn't becoming clear lol)

    The way I run Speed Tests is I connect to the VPN, then I connect to our Windows Server machine via Remote Desktop and run it on there. This shows me the results for anything on the local network. But the really doesn't help me because the issue isn't with using the firewall locally, but over VPN. As far as running a Speed Test over VPN I'm not sure how I can do that currently. I have tunnel access turned off for the VPN as this allows our users to use their home ISP for most things they do and only use the VPN when they need something from our file servers. If I turn tunnel access on, then all traffic will be routed through the VPN and that will lead to issues. Is there a way to run a Speed Test in the way I currently have the VPN configured?

    We use a number of different VPN clients depending on the device the person is using. For Windows we use the official Sophos VPN client (the older one, not the newer one). For iOS and Android we use OpenVPN, and for macOS we use Tunnelblick.
    I have checked logs before and nothing seems out of the ordinary that I could tell.

    I have not tried TCP. A big problem with trying to fix this during business hours is that any time I make a change to the VPN everyone in the company needs to download a new VPN configuration profile.

    I've not tried enabling the debug mode, not exactly sure what that'll do if I'm being honest.

  • Just to make sure, all VPN clients are experiencing the issue? A variety of hardware and a variety of clients begins to eliminate clients as an issue. It could still boil down to your client VPN configuration which might cause them to negotiate a connection that's slow for some reason, of course.

    I hear you on switch to TCP throwing everyone off. I have not used the Debug Mode, but the documentation says it records more stuff in the VPN Log. Not sure what that means.

    Just to make sure, when you say "checked the logs" you are talking about the VPN client logs, not the Sophos logs. I think mine show various start-up configuration negotiations so I was thinking if any unexpected settings are seen it could trigger some thought.

    OK, so you're doing a split VPN. Not sure if that  might give someone who really knows this stuff a clue. I always avoid split: work VPNs force you to VPN-only, and my personal use is to enhance my on-the-road security by routing all traffic through the firewall. (I actually can't access anything behind the firewall from the VPN, just the WAN.)