Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 3198 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Red SD-60 Poor lan speeds one way

Kent_166

Hi all,

I've added a new RED SD-60 to our network details below. Standard/unified setup.

SD-RED 60 10.90.21.0/24

Connection throughput 100/100 fibre.

XGS2300 192.168.100.0/24

Connection throughput 1000/1000 fibre.

When connecting the SD-RED 60 we get full speed from the internet/speed tests without issues. But when we do local file trasnfer from the XGS2300 range we get max 1mb/s nothing more, lodged ticket with sophos and spent many hours with no result yet, any one have some ideas?

I'm aware of the speed limitations of the Red devices, but we should be getting more than 1mb from lan traffic. 

Thanks!



This thread was automatically locked due to age.
  • 0 in reply to PhilippRusch

    Hi Philipp, i've changed both the RED to 1280 and the workstation testing MTU to 1280, no change, also tried lower but still no change, Sophos was on the line today with still no fix, they were concerned regarding the "TCP segment of a reassembled PDU" message from with Wireshark.

  • 0 in reply to Kent_166

    Hi Kent,

    it is not that easy, but I try: in principle every component along the route can cause your bottleneck with an MTU size being too small.

    You could start with the tunnel definition for the RED. But you should then reduce the MTU of the clients behind that tunnel as well.

    We had a customer with Telekom DSL and RED, some homeoffices ran without any problems, other sites had to be reduced to 1280 bytes at the RED tunnel definition. It depends from site to site for him.

    For Windows-Clients, we have a script to set the MTU, that I could send you.

    You could start with 1280 and then try to get to higher numbers.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to emmosophos

    Hi Emmanuel, we have already run this command with no change Slight smile

  • 0 in reply to Kent_166

    Hello Kent,

    Thank you for the Case ID.

    Can you run this command from the console of your Sophos Firewall and  try again the to replicate the issue:

    console> set ips ac_atp exception fwrules 2

    Substitute the 2 for the Firewall rule you are using to pass traffic from the RED to the LAN.

    This command disables any additional check that the Sophos Firewall does for IPS; this would help rule out the issue with the Firewall side.

    Regards

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to PhilippRusch

    Hi Philipp, just on the red side? - any recommendation on what to lower it to?

    Kent.

  • 0 in reply to Kent_166

    Maybe it's fragmentation happening here. Try to lower MTU size on the links.

    This would explain to me that the packets coming out of order.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Response from Sophos - I have reviewed the logs and the only thing suspicious is the TCP Out Of Order captured on Wireshark. I have checked Wireshark Q&A, and that error probably indicates there are multiple paths between source and destination - and one travels a through a longer path. It means TCP has slightly more work to reassemble segments in the correct order. I have checked raw tcpdump and not seeing any other path the traffic is traversing.

    Not sure where to go from here. will wait for an update, ETA is march 2nd.

  • 0 in reply to Kent_166

    Could be an MTU size problem with one of the used uplinks.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to emmosophos

    CaseID: 06220394

    Should have some update by EOB today.

  • 0

    Hello Kent,

    Thank you for contacting the Sophos Community.

    May we know the Case ID you have with Support so we can check what has been done?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML