Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 19.0.0GA Breaking IPSEC VPN's

We have 20+ Xg and XGS's deployed. We started pushing out the mentioned version updating from 18.5.3 MR-3 Build 408. The first 2 devices we updated had all kinds of VPN issues. Users could connect but the connection speed was garbage (less than 1mbps down). Was on the phone with support for over an hour. Finally they came back and said "after conferring with his colleagues there are issues with Version 19 we recommend you rollback". We did this and all the VPN issues were resolved.

FRUSTRATING to say the least. I have reached out to our Sophos Rep regarding this and updates moving forward but so far "Crickets"



This thread was automatically locked due to age.
  • Any support case available? 

    __________________________________________________________________________________________________________________

  • I have an XGS 116 and noticed how the slow IPSec VPN was right after I updated. Using the IPSec profile and Sophos connect client it would connect but RDP was extremely slow and pretty much unusable. I just tried your workaround and it works. RDP was very quick. If I re-enable IPSec acceleration it is very slow again. If I create my own VPN connection on my mac (system preferences/network/add a VPN connection it is quick. So from my findings, there is something going on with IPSec acceleration, IPSec remote access profile and Sophos Connect Client. I was also able to reproduce this on my iPhone. Hope this helps.

  • Im just a general punter, this seems to confirm what you have stated.

    https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/IPsecPolicies/index.html#encryption-authentication-shared-secret-and-key-life

    "Currently, hardware acceleration for IPsec VPN is only available on some XG Series devices. It accelerates and compresses cryptographic workloads and is available for IPsec VPN connections on XG 125 Rev.3, XG 135 Rev.3, and XG 750 appliance models.

    It's turned on by default. To turn it off, go to the command-line console."

    Sophos, why on earth would you enable a setting by default which only works on a few old devices!


  • That is not correct. 

    XG125,135,750 have a special chip to do Hardware Acceleration. But XGS has the NPU, which is a own processor unit. In the end it does not matter how you activate the option. But people here report issues on XGS hardware as well. This means, the problem exists even on hardware which has a NPU. 

    The Online Help is from V18.5. V19.0 included the new encryption support of the NPU. 

    __________________________________________________________________________________________________________________

  • Hi,

    we faced a similar issue on XG450. After disabling IPSEC acceleration, this seems to have solved at least the drop issues, but the general avg load increased, maybe it even doubled...

    Slow interaction/updates from support. Even if we had recurring interruptions and this would have been an high incident, this was set to medium by the technician. Ok, it´s much more easy for support to comply with their support schedule.

    Pretty dissappointing.

  • Hi Seroal,

    By default IPsec acceleration is disabled on all appliances except XGS. 

    XG135w_XN03_SFOS 19.0.0 GA-Build317#

    console> system ipsec-acceleration show
    IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices.

    console> system ipsec-acceleration enable
    IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices.

    console> system ipsec-acceleration disable
    IPsec acceleration isn't available on XG Series hardware, virtual, software, and cloud devices.

    can you try running this command on your XG450 and see anything different?  

  • Yes, you are right, of course we weren´t able to disable it, because it is not supported on XG. But support advised us to disable  firewall-acceleration aswell. This was the only change, we did...

  • Thanks for confirmation. 

  • we are seeing the same behavior at three of our customers, all are running a xgs v19 and ipsec tunnels. case id will follow through PN