Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

Hi precious,

Thank you for reaching out to Sophos Community and for sharing the case ID. Will further check the given case.

to verify, what kind of VPN are you using? IPsec Remote/SSL VPN Remote?

So just spoke to another support engineer, they took packet captures - exactly the same as before - same result. 

The firewall seems the issue. No solution.

So just spoke to another support engineer, they took packet captures - exactly the same as before - same result. 

The firewall seems the issue. No solution.

Hello precious pangolin ,

Thanks for taking the time to update and for your patience on the case. We regret to hear you're still facing the issue.

Per your last conversation with the engineer handling your case, the captures collected were being further analyzed, and you'll be contacted once a plan of action is ready.

Again, many thanks for your time and patience and thank you for choosing Sophos. 

Regards,

Hello there,

Following in your case, it has been accepted by GES for further troubleshooting, you have two different cases that might relate to one another, so we will keep an eye on both of them.

Regards,

Another person from sophos asked for support access again.... Again ! - I use your own software to offer 1 months support access, Then a few days later you ask me and again and and again for support access. I have done this for you 20 times so far - all for a month of access.

This is really rubbish. Again escalate... the support behind this product is one of the worst I have ever seen!

I am still facing a PRODUCTION OUTAGE due to the vpn not working as advertised.

Hello there,

Thank you for the feedback, and I can understand that asking several times to re-enable Support access can be frustrating.

I have escalated your case internally to management, and a Manager should be reaching out to you about it.

Regards,

The outage continues.

I have asked for new hardware - which I'll install from scratch for VPN use only to confirm it's a fault on my firewall.

Also waiting for someone on the development team to reach out and try to diagnose the failure while it is happening.

I literally have an issue, evidence it's clearly the firewall causing the issue, repeatable, yet nobody from the development team has bothered to reach out and try to diagnose the issue live - it's causing outages regardless and I have a repeatable problem - I don't understand why someone from your development team have not reached out...

if possible, please escalate.

Hello there,

Your case has been escalated internally. I can see you already talked to a manager, and they have approved the RMA.

In the issue related to the SSL VPN speeds, the expectation was set to two working days for GES to get back to you; this is because it seems to be only an SSL VPN speed issue, not an outage (nobody can use the SSL VPN)  from what I can see in the notes; however, this blends with the other Case where the issue relates to the Firewall becoming unresponsive. 

The other case isn’t with GES, and the engineer left the commands running in case the issue re-appeared. But I can see the follow-up wasn’t correct since this is the case causing the outage. 

Let me know if the issue re-appears once you get the RMA replacement.

Regards,

Hi,

The SSL VPN Speed issue - is causing an outage e.g. the speed is too slow so my real time processing of data is falling behind. You have offered NO SUITABLE SOLUTION to this.

Twice i have spent 1/2 a day with technical support engineers taking the same (literally the same) TCP DUMP to confirm what I already know the VPN is approximately 1/10th to 1/50th the performance expected.

This issue caused a total outage when the router hit 1260 load average and the VPN wasn't active at all. that's the other ticket - you probably want to resolve that for all Sophos XGS firewall users ? right ?  given you had no answer to why it occurred - and it'll now be one of the great features of this product of yours that might turn up again.

Can this GES team member contact me immediately - the "issue is present right now" - you don't have to wait for it to reappear - it's a live issue causing a system outage due to very slow performance.

The RMA Is an attempt to run a totally clean device as just a VPN on my public interface and slowly add just a vpn to it to confirm on a clean installed device what the performance is - I have no other suitable options right - sophos has offered nothing - this is me doing the only thing I can think of from the outside. I have tried connecting with other VPN clients from different machines and OS's they are all slow - when connecting to my home router using OpenVPN - it all works as expected.

Your suggestions via the community forum are appreciated but they are more performance tuning than why the product is nowhere near the performance it should be ~600 Mbps but is 20 Mbps - not really in the realm of performance tuning it's just plane wrong.

Again i'd request escalation.

Hello there,

Thank you for the feedback.

Just to confirm that your case is escalated to our Escalation Manager, you should be hearing soon from them and or GES, if you haven't already.

Regards,

So another support engineer, another explanation of the problem.

This one believed that running the iperf the "other way around" would give the expected result - swapping the server and client - i couldn't even make this stuff up..

when I am facing outages - this sort of stuff is very upsetting to hear - from the most senior level of support. I was told it'd be days before someone from the development team reaches out - even though I have given permission to remote debug to find the issue of a known problem.

Local Device connected via gigabit ethernet -> Router -> 1GBPS Line -> Internet Server Running iperf (1GBPS Line)  ==. 600Mbps iperf score.

Local Device -> gigabit etehrent -> router -> vpn -> internet server running iperf via 1gbps line but hitting the local address so forced to use vpn = 20 Mbps or 40 Mbps if I turn off all the features of the firewall + reduce keysize!


Let's see what happens next.

So lets rephrase this: 
You have a client in the internet. This client is connected to his Internet ISP and connected to VPN to the firewall.

Did you try another client like Sophos Connect? Did it work there better? 
Because yet to confirm by you, if it is a client or firewall or even a ISP Problem). 

The next step by you should be a windows client using Sophos Connect and check the speed there using the same method. 

That should be done within 10 minutes, given you have a windows client by hand. 

About your test method. Why dont you try a speedtest approach like downloading a file instead? 
Do something like: 

Add this to SSLVPN: 

This should add the IPs of this URL: 

"speed.hetzner.de": {
"sm": "">speed.hetzner.de/100MB.bin",
"md": "">speed.hetzner.de/1GB.bin",
"lg": "">speed.hetzner.de/10GB.bin",

For example: 

And a download there: 

https://ash-speed.hetzner.com/