Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Performance is horrible using TCP or UDP

Shawn Adams

We have 2 XG330 in HA, a 300Mbit connection and are using the SFOS 20.0.0 GA-Build222 firmware with Sophos Connect.

Using the SSL VPN with UDP we are seeing speeds of 3.6Mbit down and 6.9Mbit up.  The Client has 100Mbit.

I've read a lot of different threads here regarding this issue, most of them are older than 2 years and most of them do not have an acceptable answer to this problem other than to switch the people who need a faster connection to IPSEC.

If anyone has any ideas I'll be glad to hear them.



This thread was automatically locked due to age.
  • 0

    Hi   - Without setting up the SSLVPN tunnel between the client and the XG, can you configure a DNAt rule on the XGS and do the perf test(you can use iperf) to the server behind the XGS and check what's the speed we are getting ?

    With this test - we will confirm, with the path being the same, what's the difference in throughput, with and without tunnel.

  • 0

    Hello Shawn,

    this sounds like an MTU problem to me on either both links or at least one of them.

    Normally, IPsec tunnels are more likely to have this kind of problem, but we should check this.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to PhilippRusch

      The VPN is set to 1300 on both ends

      • 0 in reply to Shawn Adams

        OK, this sounds good. We should exclude that as possible reason.

        Did you by chance enable "compression" in SSL global settings?

        Mit freundlichem Gruß, best regards from Germany,

        Philipp Rusch

        New Vision GmbH, Germany
        Sophos Silver-Partner

        If a post solves your question please use the 'Verify Answer' button.

        • 0 in reply to PhilippRusch

          Yes it is on. We were told not to turn it off.

          • 0 in reply to Shawn Adams

            OK, we found it.

            You should turn it off definitely.

            Mit freundlichem Gruß, best regards from Germany,

            Philipp Rusch

            New Vision GmbH, Germany
            Sophos Silver-Partner

            If a post solves your question please use the 'Verify Answer' button.

            • 0 in reply to PhilippRusch

              And, while working on this, you should check the debug setting to be turned off, as well.

              Mit freundlichem Gruß, best regards from Germany,

              Philipp Rusch

              New Vision GmbH, Germany
              Sophos Silver-Partner

              If a post solves your question please use the 'Verify Answer' button.

              • 0 in reply to PhilippRusch

                Debug is off, so I guess this means all the users will need to download a new profile again...

                • 0 in reply to PhilippRusch

                  I have to wait until we have tested this before I can Verify it as an Answer.  Ich hoffe das es geht :-)

                  • 0 in reply to Shawn Adams

                    Changing the Debug Mode setting should not result in a need to download a new profile; changing the compression setting will (and I agree with the others, turn that off).

                    CTO, Convergent Information Security Solutions, LLC

                    https://www.convergesecurity.com

                    Sophos Platinum Partner

                    --------------------------------------

                    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

                    • 0 in reply to BrucekConvergent

                      compression is now off, no change in performance at all.  Do I need to reboot the firewalls?

                      • 0 in reply to Shawn Adams

                        I'm starting to think we should try IPSEC for the users who need it, I've read that it is faster than the SSL.

                        • 0 in reply to Shawn Adams

                          No reboot should be needed.  

                          You have an interesting problem there, and I haven't seen a speed issue like this in a while.  Though in the recesses of my mind, I recall a couple of scenarios:

                          1)  The WAN link on the firewall had a speed / duplex mismatch with the ISP gear -- granted I have not seen this in many moons but I have before.  Causes strange behavior.

                          2)  I don't see it mentioned here -- have you disabled UDP flood protection?  That can cause issues with UDP streams.

                          3)  Also, haven't seen it here, have you tried testing, say, from a directly connected link?  There could be some throttling happening at your ISP, the client's ISP, or in between, of that traffic.  YOu can try a different port, etc.

                          Of course trying IPSEC may work as well -- but more "free" Wi-Fi connections block that usage than others.

                          CTO, Convergent Information Security Solutions, LLC

                          https://www.convergesecurity.com

                          Sophos Platinum Partner

                          --------------------------------------

                          Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.