Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Replies 45 replies
  • Answers 2 answers
  • Subscribers 44 subscribers
  • Views 4199 views
  • Users 0 members are here
Options
Suggested

Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

precious pangolin

Hi Sophos Community Team,

I Have Sophos XGS 136W 

Latest OS + Fixes including SSD Fix (that wasn't a fun update FYI).

I currently am experiencing very slow VPN performance - like bare iperf speed is 500-900 Mbps and sophos VPN speeds between Sophos XGS 136W and a

OpenVPN - UDP - No Compression is barely 50 Mbps

Anyone got any solutions to help get the speed up to something closer to the spec sheet value ? 

I also suffered an outage as load averages on this device went to 1260 - this was resolved with a restart but no actual answer to why - just that the snort process was using up all the CPU.

I have gotten no answers from Sophos after a week and the only suggestions were turning bits of the firewall off and reducing cores allocated to specific services. Not really much use given I need a firewall not a passthrough device.

Sophos CaseID: 07200288

OpenVPN version : - OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022



Added TAGs
[edited by: Raphael Alganes at 9:43 AM (GMT -8) on 30 Jan 2024]
Parents
  • 0

    Hello,

    To update the community, this is currently being investigated by DEV under NCL-1809.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Just an update for all.

    The team at sophos have been able to recreate - so it appears to be a genuine bug / problem with the firewall product.

    The developer in me would recommend they have each of the Sophos XGS products, running a simple setup, with VPNS, and other obvious features and they track performance changes as they update SFOS versions to track changes over time or general performance trends. When they see a major drop like 1/10th of actual speeds - maybe take a looky?

    A bit like continuous integration but for hardware + software products - you really don't want a client having to contact the CEO to tell your product isn't working on such a basic level - worse still to be proven right.

    Sophos has a market value US$3.9 billion - approx 4,400 employees - I assume someone in the org suggested this ? it seems pretty basic - my 1 man company does this to ensure changes don't impact performance trends on my SaS product for my clients.

    Looking forward to this weeks updates.

  • 0 in reply to precious pangolin

    Have you heard anything further on this issue? I have a XG125 rev3 on v20GA with 500/500 fiber at the office and 1000/1000 fiber at home. I've gone through all the troubleshooting steps without any success.
    IPSec Remote Access VPN:  0.00-10.00  sec  26.2 MBytes  22.0 Mbits/sec
    SSLVPN manages to get  0.00-10.00  sec  73.2 MBytes  69.0 Mbits/sec

  • 0 in reply to BrushTech

    Hi, 

    So basically after a lot of forward and back. The outcome was the SSL VPN + IPSEC - Remove Access options were very slow - they just are - they can aggregate hit very large throughputs but via a single connection not much better than the numbers you have quoted.

    Switching to just IPSEC via strongswan on ubuntu - doing a site to site connection got me back to wire speeds. Just it's a massive pain to setup - but you can setup the whole IPSEC SD Routes so you can primary and secondary connections and also set them to initiate so they can be behind NAT'd networks like a 4G backup. I have a 1GBPS Fibre + 5G NAT'd connection as my secondary.

    All up Sophos got me going again via IPSEC - I get approx 700-800MBPS from a 1GBPS. 

    You'll probably want to login to you ssh on your sophos router, you'll want to cat out the ipsec configs and secrets to help you configure the other side, you'll need to match the protocols for the IKE protocols, cipher and key exchange stuff. It's fidly as - so maybe call up sophos and ask for some support.

    In the end it's worth it  - I got up and running again and to be fair the ipsec failover stuff works better than the remote vpn failover.

    Hope that helps.

  • 0 in reply to precious pangolin

    Thank you for following up...I'm a bit frustrated with the news. After I posted I did notice that the Sophos TAP adapter link speed is set to 100Mbps so I figured this would be the eventual outcome.

    To spec out 1500 Mbps VPN speeds without a GIANT * that it's site to site only with bubblegum and duck tape is dumbfounding. Guess I'm crazy for thinking with such a VAST difference between S2S vs C2S speeds, the specs would be noted separately.

    Unreal...with my office likely going 90% remote, I'll have to look else where when licensing comes up for renewal.

    Thanks again!

  • 0 in reply to BrushTech

    Question is, what kind of solution will be faster? 
    Looking into the openvpn docs: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

    Most performance values use a MTU >1500, which are unrealistic as a VPN WAN solution. 

    I was looking into this into more detail and even openvpn, which is the basis of most VPN Solutions in the market, is not archieving much more. 

    You find things like this: https://community.openvpn.net/openvpn/wiki/PerformanceTestingOpenVPN But they are using also a huge MTU within AWS. 

    __________________________________________________________________________________________________________________

Reply Children
  • 0 in reply to LuCar Toni

    Thank you for pointing this fact out and is what I wish was pointed out in the docs (the * I was stalking about).
    OpenVPN is caped @ 85 Mbps and again what I figured after noticing the link speed on the adapter...

    As for what's faster, wireguard seems to be first option. It is notably faster but has it's drawbacks and from what I can see it's harder to update/maintain should an issue arise. Then again, Sophos client is currently on OpenVPN version 2.5.6 which was released in 2022 so that's a wash?

    So, thanks again  for your response. I'll have a look at moving some users to a S2S VPN and some to C2S with split tunnel to mitigate the screams and moaning. This really seems like the solution other than rolling a lesser solution or trying to get a wireguard server up behind the XGS. With a wireguard server in the mix, much of the awesome features of the XGS platform would be neutered and any issues would only be able to be traced back to the server right?

    Cheers!

Unfiltered HTML