Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN - Severe performance issue after upgrade to XGS-2100 SFOS 19.5.3

We previously have XG-210, SFOS 19.5.2 but due to EOL on XG-210, we are forced to upgrade to XGS-2100.

We are now running the latest SFOS 19.5.3 on the new XGS-2100, and all SSL VPN users are experiencing severe performance issue.

The issue is impacting "All Users" in the business and affecting productivity for the past month with no resolution.

I have logged the case to Sophos Support and a lot of follow up but the issue is still pending with NO Action Plan despite me repeatedly requesting for immediate assistance.

Any one else is having the same issue? 

SSL-VPN Current Setting

Tunnel access: Use as default Gateway (Currently turned off but turned it on for testing, same issue)

UDP | AES-128-CBC | SHA2 256 | 1024 | Compress SSL VPN (Disabled, previously turned on) | Enabled Debug Mode (Disabled, previously turned on)

Support has requested logs and logs but no action plan. 



This thread was automatically locked due to age.
  • Sophos GES is way toooo slow for a critical issue that affects all users in the business. I was asked again to wait until 3 days from now. I am running out of options here, I tested several combinations of TCP/UDP and encryption settings, however, I cannot get everything back to normal. It only resolves one issue at a time depending on the protocol and security algorithm

  • Just to be clear: Support / DEV works with Business Impact & Affected Customer flags. This drives the priority score. So if you are the only customer, reporting this kind of behavior, and it is a "slowing down but not stop working" situation, it is not the highest prioritization. Especially if you have a workaround like moving to GCM (Which is a general recommendation). 

    __________________________________________________________________________________________________________________

  • I understand that but the ticket has been escalated several times and is already one month old. I tested all the GCM encryption with TCP and UDP, but somehow it only fixed one issue at a time, I am unable to find a combination that works before the migration to the new device and the new firmware. I am tempted to put the XG-210 back into production and transfer the license back to XG-210 but that is a lot of headache and turnaround time considering the location of the device.

  • __________________________________________________________________________________________________________________

  • Hi,

    As per the update on the case. The case handler is seeking confirmation from your side.

    "Development is unavailable tomorrow and shared their availability for Tuesday at 4 PM NZT. (Nov 21, 2023)

    Please let me know if that works for you."

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Any other recommendation is appreciated.

    SSL-VPN Current Setting:

    Tunnel access: Use as default Gateway (Currently turned off but turned it on for testing, same issue)

    TCP | AES-128-GCM | SHA-256 | 2048  | Compress SSL VPN (Disabled) | Enabled Debug Mode (Disabled)

    MTU - 1500

    The above configuration gives us better performance than the previous one that was working with XG-210, however, there is still a bottleneck.

    We have a very simple setup and only 20 SSL VPN users and there are no Site-to-Site VPN.

    Since we upgraded to XGS-2100, the performance in our network has degraded.

    Another problem is that I got a recurring flu for 2 months because I was forced to work on nights by Sophos Support as they needed to gather logs for 3 months now.

    I am now reviewing other alternative products but I will be on a long holiday and will not be back until next year so I am trying to give the XGS 2100 another shot.

    If anyone can suggest any other setting that I can test, it is very much appreciated.

  • Hello there,

    To reiterate, Sophos Support should work during your preferred working hours, not the other way around.

    Checking last month's activities, I can see your case is now more aligned with your working hours, but unfortunately, the last session with DEV didn't go as expected.

    I have escalated this case internally with Management so GES/DEV/Management can work with you with a specific time plan to work on your issue if you would like

    As per your case, the only thing I didn't see about the troubleshooting is what Luca recommended about disabling IPsec and Firewall acceleration. Can you confirm if you tried that so I can add the note in the case? 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.