Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

Hi precious,

Thank you for reaching out to Sophos Community and for sharing the case ID. Will further check the given case.

to verify, what kind of VPN are you using? IPsec Remote/SSL VPN Remote?

Using a standard OpenVPN SSL Remote connection.

It's been a pretty poor experience so far. I have been given suggestions of turning bits of the firewall off (kinda defeats the purpose of the firewall). 

It's been over a week of super slow performance causing production outages as so far no useful responses can this be escalated please ? 

I reported slow performance and a few days later the firewall load average hit 1260 (I believe it's a 4 core - XGS 136W) - it then resulted in total failure and a massive outage. I luckily was able to ssh into another 4g backup and bounce the firewall - however no actual solution was provided and I have just a stock firewall doing very little... 

Also when trying both from my linux and mac - performance is 10 to 20 times lower than raw bandwidth. Both have different versions of openvpn.

Reduced Keysize, Turned off Compress SSL, mss tuned to 1400 (via console under support advise).

Try: 

BTW: This will mean you have to download new configs. 

Thanks, I will have to organise this in the morning.

Appreciate the help - so back to TCP, port to 1443, 1.1.1.1 DNS, AES-256-GCM, 2048 bit Key. 

Will report findings.

Hi, 

No joy - I had a slight increase but we are talking twice the speed. The raw speed of direct connection (via public internet not the firewall) - is around 500-800 Mbps. The vpn gives me 30-40 Mbps.

I even tried toggling the system firewall-acceleration enable  and disabled too - no joy.

Why doesn't the simplest part of this firewall not work ? I'm not asking for the same speed as the raw performance even 1/2 would be great.

How are you testing? What do you do to test it? You are going from VPN to WAN? 

I have a public server on the internet I run "iperf -s 5210" I then run 

"iperf -c PUBLIC_IP -p 5210" - I then try it again with the internet network address (forcing it via the vpn). 

Intranet address like 192.168.1.30

Sounds like a MTU Problem. Likely you have a lot of retransmissions on this speed test. Can you decrease the size of the packets in iperf? 

The 10 to 20 times worse speed decrease seems a little too large for a MTU issue? 

I can confirm similar speed slows downs on SCP file transfer too.

Sophos support have viewed logs and tcpdumps - so again if it's MTUs they would have picked that up in the logs.

Any details for customer service escalation? given this is causing outages and has been going on for over a week.

I am still facing outages as the support team from sophos ring me daily and re-iterate my problem then go away and provide no solutions.

The closest I have had to some options is from this community forum.

The 10 to 20 times worse speed decrease seems a little too large for a MTU issue? 

I can confirm similar speed slows downs on SCP file transfer too.

Sophos support have viewed logs and tcpdumps - so again if it's MTUs they would have picked that up in the logs.

Any details for customer service escalation? given this is causing outages and has been going on for over a week.

I am still facing outages as the support team from sophos ring me daily and re-iterate my problem then go away and provide no solutions.

The closest I have had to some options is from this community forum.

Can you change the MTU on the Endpoint you are using to 1400 ? Does it affect something? 

Tried various values - still slow speed. I upgraded vpn to : OpenVPN 2.4.12 x86_64-pc-linux-gnu - still no joy.

Did you decrease the MTU even lower to maybe something like 1300 MTU? 
Because right now i cannot say, which MTU you have on your client in Linux? 

BTW: Did you try to use a windows client with Sophos Connect with the same config file? What are the performances there?