Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 45 replies
  • Answers 2 answers
  • Subscribers 45 subscribers
  • Views 8757 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

precious pangolin

Hi Sophos Community Team,

I Have Sophos XGS 136W 

Latest OS + Fixes including SSD Fix (that wasn't a fun update FYI).

I currently am experiencing very slow VPN performance - like bare iperf speed is 500-900 Mbps and sophos VPN speeds between Sophos XGS 136W and a

OpenVPN - UDP - No Compression is barely 50 Mbps

Anyone got any solutions to help get the speed up to something closer to the spec sheet value ? 

I also suffered an outage as load averages on this device went to 1260 - this was resolved with a restart but no actual answer to why - just that the snort process was using up all the CPU.

I have gotten no answers from Sophos after a week and the only suggestions were turning bits of the firewall off and reducing cores allocated to specific services. Not really much use given I need a firewall not a passthrough device.

Sophos CaseID: 07200288

OpenVPN version : - OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022



This thread was automatically locked due to age.
  • 0 in reply to precious pangolin

    Thank you for following up...I'm a bit frustrated with the news. After I posted I did notice that the Sophos TAP adapter link speed is set to 100Mbps so I figured this would be the eventual outcome.

    To spec out 1500 Mbps VPN speeds without a GIANT * that it's site to site only with bubblegum and duck tape is dumbfounding. Guess I'm crazy for thinking with such a VAST difference between S2S vs C2S speeds, the specs would be noted separately.

    Unreal...with my office likely going 90% remote, I'll have to look else where when licensing comes up for renewal.

    Thanks again!

  • 0 in reply to BrushTech

    Question is, what kind of solution will be faster? 
    Looking into the openvpn docs: https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

    Most performance values use a MTU >1500, which are unrealistic as a VPN WAN solution. 

    I was looking into this into more detail and even openvpn, which is the basis of most VPN Solutions in the market, is not archieving much more. 

    You find things like this: https://community.openvpn.net/openvpn/wiki/PerformanceTestingOpenVPN But they are using also a huge MTU within AWS. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for pointing this fact out and is what I wish was pointed out in the docs (the * I was stalking about).
    OpenVPN is caped @ 85 Mbps and again what I figured after noticing the link speed on the adapter...

    As for what's faster, wireguard seems to be first option. It is notably faster but has it's drawbacks and from what I can see it's harder to update/maintain should an issue arise. Then again, Sophos client is currently on OpenVPN version 2.5.6 which was released in 2022 so that's a wash?

    So, thanks again  for your response. I'll have a look at moving some users to a S2S VPN and some to C2S with split tunnel to mitigate the screams and moaning. This really seems like the solution other than rolling a lesser solution or trying to get a wireguard server up behind the XGS. With a wireguard server in the mix, much of the awesome features of the XGS platform would be neutered and any issues would only be able to be traced back to the server right?

    Cheers!

  • 0 in reply to BrushTech

    Just curious; have you tried using the SSL VPN in UDP mode (instead of TCP)?

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrushTech

    I did some comparative tests. If I run pure software VPN between servers I get much more bandwidth but these are two 128 core AMD epyc monsters. We are talking 250-300 mbps.

    I feel the docs don't state it as it's just a aggregate bandwidth they provide to the stated spec sheet VPN Throughput - to be fair I feel it should have a table for throughput vs number of clients to show how this is a theoretical max and how it's not linear between 1 and n clients for slicing of total throughput.

    The Sophos engineers when trying to stack the iperf test in their favour never got above 100mbps (udp, weaker ciphers, mtu tuning) - Strongswan ipsec was doing 900mbps on day 1 - no tuning, using strong ciphers.

    I guess it'd be nice to have a reference to that document that LuCar Toni pointed out, thanks LuCar - to ensure people don't expect too much - this was not known or shared by the sophos engineers. But a little bit of me does question how the other devices compare - maybe a great way to see how the various vendors in this space do with this upper speed limit.

Unfiltered HTML