Sophos XGS 136W - Super Slow VPN Performance 1/10th to 1/50th Actual Speed.

As i showed multiple times, i can reach easily higher speeds. Other can do. This means somehow, there is something special. 

So lets revisit your part of "f I iperf via a local address forcing the system to use a vpn that the remove system has connected to I get 10-40 Mbps" -

Can you exactly describe what you are doing here? How do you reroute the traffic here? 

Where is the system from the viewpoint of SFOS? In the WAN?
If you connect to the Appliance via SSLVPN - What kind of MTU does the Client use? 
What MTU do you use on the WAN from your ISP? 

Your team has full tcp dumps - for this from the firewall and from the Linux iperf server side - twice. Can you ask them to let you look at these? Also ifconfig dumps to show all MTUs.

The WAN is MTU = 1500, MSS = 1460 (from the network section of the firewall). I don't connect direclty so trust your software UI to report it correctly.

The VPN via wireshark of those TCPdumps you have - mss = 1460 - I don't know how to get the MTU from the wireshark (is it even possible). - however the ifconfig on the vpn side shows (on the vpn tun0 link): 1500 - again these have been provided twice already to support engineers.

... not much else I can turn off on this thing - it's running at < 10% of cpu now. 

XXXXXXXXXX:~$ iperf -c 172.16.XX.XX -p 5210

------------------------------------------------------------

Client connecting to 172.16.XX.XX, TCP port 5210

TCP window size: 45.0 KByte (default)

------------------------------------------------------------

[  3] local 10.81.XX.XX port 59592 connected with 172.16.XX.XX port 5210

[ ID] Interval       Transfer     Bandwidth

[  3]  0.0-10.3 sec  42.5 MBytes  34.6 Mbits/sec

XXXXXXXXXX:~$ iperf -c 103.XX.XX.XX -p 5210

------------------------------------------------------------

Client connecting to 103.XX.XX.XX, TCP port 5210

TCP window size: 45.0 KByte (default)

------------------------------------------------------------

[  3] local 51.XX.XX.XX port 51098 connected with 103.XX.XX.XX port 5210

[ ID] Interval       Transfer     Bandwidth

[  3]  0.0-10.0 sec   934 MBytes   783 Mbits/sec


172 = local subnett, 10.81 = vpn subnet, 103 = fibre connection. 51 = public servers ip address.


So we are looking at 20 X speed decrease, this is with most features on the firewall being off. CPU < 20% 

Still a production issue causing outages. 


Can this be escalated to the development team to see what is going on ? It's clearly the firewall.

Sorry for the confusion here - I am not a support employee and i do not have access to the support department. I am just here in my free time to help customers and home users. 

So i let you communicate with the support department directly.

Hello,

To update the community, this is currently being investigated by DEV under NCL-1809.

Regards,

Just an update for all.

The team at sophos have been able to recreate - so it appears to be a genuine bug / problem with the firewall product.

The developer in me would recommend they have each of the Sophos XGS products, running a simple setup, with VPNS, and other obvious features and they track performance changes as they update SFOS versions to track changes over time or general performance trends. When they see a major drop like 1/10th of actual speeds - maybe take a looky?

A bit like continuous integration but for hardware + software products - you really don't want a client having to contact the CEO to tell your product isn't working on such a basic level - worse still to be proven right.

Sophos has a market value US$3.9 billion - approx 4,400 employees - I assume someone in the org suggested this ? it seems pretty basic - my 1 man company does this to ensure changes don't impact performance trends on my SaS product for my clients.

Looking forward to this weeks updates.

Thanks for all your help. Sorry I didn't realise you weren't part of Sophos - Many thanks for the suggestions.

It seems - dev have reproduced on their side so it seems like a real bug tracked under NCL-1809.

I am working for Sophos but not for Development / Support, instead i am working as a Sales Engineer. 

So i did some research on my own about this topic and would like to know just some information about this topic (for me): 
What was the throughput before you notice this problem? Because the load problem is not related to VPN right? Because you are saying, the Load is sometimes high, but the VPN Performance is bad in general.The Load Issue is handled by the other case.

Do you have the throughput numbers before facing a problem? 

And another thought about iperf in general. iperf3 -c means, it will upload data to the iperf3 -s 
This could be important for your test, as this can generate different results.

I found some older Threads about SSLVPN Performance and users like Prism or rfcat_vk could some example numbers of SSLVPN as well. Because generally speaking, we do not see any kind of feedback of "bad performance" since V19.5 MR2. 
Reviewing the feedback thread: 

 Sophos Firewall: v19.5 MR3: Feedback and experiences 

 Sophos Firewall: v20.0 GA: Feedback and experiences 
 

Have you heard anything further on this issue? I have a XG125 rev3 on v20GA with 500/500 fiber at the office and 1000/1000 fiber at home. I've gone through all the troubleshooting steps without any success.
IPSec Remote Access VPN:  0.00-10.00  sec  26.2 MBytes  22.0 Mbits/sec
SSLVPN manages to get  0.00-10.00  sec  73.2 MBytes  69.0 Mbits/sec

Hi, 

So basically after a lot of forward and back. The outcome was the SSL VPN + IPSEC - Remove Access options were very slow - they just are - they can aggregate hit very large throughputs but via a single connection not much better than the numbers you have quoted.

Switching to just IPSEC via strongswan on ubuntu - doing a site to site connection got me back to wire speeds. Just it's a massive pain to setup - but you can setup the whole IPSEC SD Routes so you can primary and secondary connections and also set them to initiate so they can be behind NAT'd networks like a 4G backup. I have a 1GBPS Fibre + 5G NAT'd connection as my secondary.

All up Sophos got me going again via IPSEC - I get approx 700-800MBPS from a 1GBPS. 

You'll probably want to login to you ssh on your sophos router, you'll want to cat out the ipsec configs and secrets to help you configure the other side, you'll need to match the protocols for the IKE protocols, cipher and key exchange stuff. It's fidly as - so maybe call up sophos and ask for some support.

In the end it's worth it  - I got up and running again and to be fair the ipsec failover stuff works better than the remote vpn failover.

Hope that helps.