Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 16355 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN - Severe performance issue after upgrade to XGS-2100 SFOS 19.5.3

Graboid$

We previously have XG-210, SFOS 19.5.2 but due to EOL on XG-210, we are forced to upgrade to XGS-2100.

We are now running the latest SFOS 19.5.3 on the new XGS-2100, and all SSL VPN users are experiencing severe performance issue.

The issue is impacting "All Users" in the business and affecting productivity for the past month with no resolution.

I have logged the case to Sophos Support and a lot of follow up but the issue is still pending with NO Action Plan despite me repeatedly requesting for immediate assistance.

Any one else is having the same issue? 

SSL-VPN Current Setting

Tunnel access: Use as default Gateway (Currently turned off but turned it on for testing, same issue)

UDP | AES-128-CBC | SHA2 256 | 1024 | Compress SSL VPN (Disabled, previously turned on) | Enabled Debug Mode (Disabled, previously turned on)

Support has requested logs and logs but no action plan. 



This thread was automatically locked due to age.
Parents
  • 0

    I see support has replied and is working on a case but I will throw in my 2 cents. We have an XGS-3100 and we found the fastest SSL VPN performance using the AES-128-GCM encryption and switch to TCP. I realize UDP should be faster for SSL VPN but on our XGS doing comparative tests, TCP seems like it was being accelerated more than UDP was. Couldn't hurt to try it as a test. And yes, leave debug and compression turned off.

Reply
  • 0

    I see support has replied and is working on a case but I will throw in my 2 cents. We have an XGS-3100 and we found the fastest SSL VPN performance using the AES-128-GCM encryption and switch to TCP. I realize UDP should be faster for SSL VPN but on our XGS doing comparative tests, TCP seems like it was being accelerated more than UDP was. Couldn't hurt to try it as a test. And yes, leave debug and compression turned off.

Children
  • 0 in reply to Gary Balbach

    Good find, indeed SSLVPN over TCP not only performing better but also consuming much less CPU than UDP.

    On some cases the CPU consumption over TCP is half of UDP.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Gary Balbach

     - Thank you for the 2 settings. The combination of TCP and AES-128-GCM encryption is a lot faster than what we currently have after the migration.

  • 0 in reply to Graboid$

    The above recommendation pointed me in the right direction. I tested several combinations of TCP, Encryption Algorithm and Key Size, however, it only resolves one performance issue over the other and it does not resolve all other performance issues. e.g., I used TCP, AES-128GCM, 1024 and SMB transfer is a lot faster but has high ping latency which affects internal apps. TCP and AES-128-CBC, 2054 key resolves ping latency but Outlook performance is very poor. I am still trying all possible combinations, however, unless I know what is really causing the issue after the migration, it would be hard to find the proper setup.

Unfiltered HTML