Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

Hi precious,

Thank you for reaching out to Sophos Community and for sharing the case ID. Will further check the given case.

to verify, what kind of VPN are you using? IPsec Remote/SSL VPN Remote?

So just spoke to another support engineer, they took packet captures - exactly the same as before - same result. 

The firewall seems the issue. No solution.

Hello there,

Your case has been escalated internally. I can see you already talked to a manager, and they have approved the RMA.

In the issue related to the SSL VPN speeds, the expectation was set to two working days for GES to get back to you; this is because it seems to be only an SSL VPN speed issue, not an outage (nobody can use the SSL VPN)  from what I can see in the notes; however, this blends with the other Case where the issue relates to the Firewall becoming unresponsive. 

The other case isn’t with GES, and the engineer left the commands running in case the issue re-appeared. But I can see the follow-up wasn’t correct since this is the case causing the outage. 

Let me know if the issue re-appears once you get the RMA replacement.

Regards,

Hi,

The SSL VPN Speed issue - is causing an outage e.g. the speed is too slow so my real time processing of data is falling behind. You have offered NO SUITABLE SOLUTION to this.

Twice i have spent 1/2 a day with technical support engineers taking the same (literally the same) TCP DUMP to confirm what I already know the VPN is approximately 1/10th to 1/50th the performance expected.

This issue caused a total outage when the router hit 1260 load average and the VPN wasn't active at all. that's the other ticket - you probably want to resolve that for all Sophos XGS firewall users ? right ?  given you had no answer to why it occurred - and it'll now be one of the great features of this product of yours that might turn up again.

Can this GES team member contact me immediately - the "issue is present right now" - you don't have to wait for it to reappear - it's a live issue causing a system outage due to very slow performance.

The RMA Is an attempt to run a totally clean device as just a VPN on my public interface and slowly add just a vpn to it to confirm on a clean installed device what the performance is - I have no other suitable options right - sophos has offered nothing - this is me doing the only thing I can think of from the outside. I have tried connecting with other VPN clients from different machines and OS's they are all slow - when connecting to my home router using OpenVPN - it all works as expected.

Your suggestions via the community forum are appreciated but they are more performance tuning than why the product is nowhere near the performance it should be ~600 Mbps but is 20 Mbps - not really in the realm of performance tuning it's just plane wrong.

Again i'd request escalation.

Hello there,

Thank you for the feedback.

Just to confirm that your case is escalated to our Escalation Manager, you should be hearing soon from them and or GES, if you haven't already.

Regards,

So another support engineer, another explanation of the problem.

This one believed that running the iperf the "other way around" would give the expected result - swapping the server and client - i couldn't even make this stuff up..

when I am facing outages - this sort of stuff is very upsetting to hear - from the most senior level of support. I was told it'd be days before someone from the development team reaches out - even though I have given permission to remote debug to find the issue of a known problem.

Local Device connected via gigabit ethernet -> Router -> 1GBPS Line -> Internet Server Running iperf (1GBPS Line)  ==. 600Mbps iperf score.

Local Device -> gigabit etehrent -> router -> vpn -> internet server running iperf via 1gbps line but hitting the local address so forced to use vpn = 20 Mbps or 40 Mbps if I turn off all the features of the firewall + reduce keysize!


Let's see what happens next.

So lets rephrase this: 
You have a client in the internet. This client is connected to his Internet ISP and connected to VPN to the firewall.

Did you try another client like Sophos Connect? Did it work there better? 
Because yet to confirm by you, if it is a client or firewall or even a ISP Problem). 

The next step by you should be a windows client using Sophos Connect and check the speed there using the same method. 

That should be done within 10 minutes, given you have a windows client by hand. 

About your test method. Why dont you try a speedtest approach like downloading a file instead? 
Do something like: 

Add this to SSLVPN: 

This should add the IPs of this URL: 

"speed.hetzner.de": {
"sm": "">speed.hetzner.de/100MB.bin",
"md": "">speed.hetzner.de/1GB.bin",
"lg": "">speed.hetzner.de/10GB.bin",

For example: 

And a download there: 

https://ash-speed.hetzner.com/

The iperf test is just my way of saying it's not me. All things go slower over the VPN including speedtest-cli from a few different machines / os's.

If i a just go via the firewall to the internet and do a speedtest I easy get 600Mbps. Just normal ethernet connected client using the firewall as a router over 1 Gbps WAN.

If I iperf over the firewall without a vpn via my fibre connection I easily get 500Mbps.

If I iperf via a local address forcing the system to use a vpn that the remove system has connected to I get 10-40 Mbps depending how much of the firewall I have turned off. This uses all the same equipment as the above tests the difference being it's a VPN over the same cables & equipment.

Is this really that hard to understand? The iperf without the vpn proves it's not [client, firewall or even a ISP Problem]. when I turn on the VPN - it's all on sophos - you clearly have had issues with performance and bugs in the past with this from reading previous posts. One specific thread shows advise : "turn off firewall acceleration due to bugs"

As i showed multiple times, i can reach easily higher speeds. Other can do. This means somehow, there is something special. 

So lets revisit your part of "f I iperf via a local address forcing the system to use a vpn that the remove system has connected to I get 10-40 Mbps" -

Can you exactly describe what you are doing here? How do you reroute the traffic here? 

Where is the system from the viewpoint of SFOS? In the WAN?
If you connect to the Appliance via SSLVPN - What kind of MTU does the Client use? 
What MTU do you use on the WAN from your ISP? 

Your team has full tcp dumps - for this from the firewall and from the Linux iperf server side - twice. Can you ask them to let you look at these? Also ifconfig dumps to show all MTUs.

The WAN is MTU = 1500, MSS = 1460 (from the network section of the firewall). I don't connect direclty so trust your software UI to report it correctly.

The VPN via wireshark of those TCPdumps you have - mss = 1460 - I don't know how to get the MTU from the wireshark (is it even possible). - however the ifconfig on the vpn side shows (on the vpn tun0 link): 1500 - again these have been provided twice already to support engineers.

... not much else I can turn off on this thing - it's running at < 10% of cpu now. 

XXXXXXXXXX:~$ iperf -c 172.16.XX.XX -p 5210

------------------------------------------------------------

Client connecting to 172.16.XX.XX, TCP port 5210

TCP window size: 45.0 KByte (default)

------------------------------------------------------------

[  3] local 10.81.XX.XX port 59592 connected with 172.16.XX.XX port 5210

[ ID] Interval       Transfer     Bandwidth

[  3]  0.0-10.3 sec  42.5 MBytes  34.6 Mbits/sec

XXXXXXXXXX:~$ iperf -c 103.XX.XX.XX -p 5210

------------------------------------------------------------

Client connecting to 103.XX.XX.XX, TCP port 5210

TCP window size: 45.0 KByte (default)

------------------------------------------------------------

[  3] local 51.XX.XX.XX port 51098 connected with 103.XX.XX.XX port 5210

[ ID] Interval       Transfer     Bandwidth

[  3]  0.0-10.0 sec   934 MBytes   783 Mbits/sec


172 = local subnett, 10.81 = vpn subnet, 103 = fibre connection. 51 = public servers ip address.


So we are looking at 20 X speed decrease, this is with most features on the firewall being off. CPU < 20% 

Still a production issue causing outages. 


Can this be escalated to the development team to see what is going on ? It's clearly the firewall.

Sorry for the confusion here - I am not a support employee and i do not have access to the support department. I am just here in my free time to help customers and home users. 

So i let you communicate with the support department directly.

Sorry for the confusion here - I am not a support employee and i do not have access to the support department. I am just here in my free time to help customers and home users. 

So i let you communicate with the support department directly.