Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS2100 Throughput

Hello, 

I have two sites configured with HA XG2100 firewalls, At both sites 1GBe Port2 is the WAN connection this is a 100/100 circuit typically usage is around 30%, 1GBe Port 6 is an MPLS L2 1Gbp/s Circuit that connects both sites. All LAN traffic is handled via a 2 port SFP+ 10GB fiber module. Routing between both sites is with static routes. There are a number of firewall rules on the MPLS circuit but no IPS/advanced services, throttling has been removed for testing.

When the MPLS circuit is fully utilised typically with offsite backups there are performance issues with our WAN connection, ping is regularly over 100ms, if the backup job is stopped ping is around 7ms. This has caused issues with the VoIP services i am hosting. 

I have spoken with Sophos support and they advised that 100% utilisation of an interface would cause disruption of other interfaces due to queuing/buffers and advised me to throttle to connection. there are no issues with CPU/memory usage. when throttling the connection at 75% with a traffic shaping rule there are no WAN issues. 

i am surprised that traffic on one interface can have such a noticeable impact on WAN connectivity, i don't see any issues when the 2 port SFP+ 10GB fiber module is routing traffic beyond Gigabit speeds between LANS.

is the XGS2100 hardware the cause of these issues, The Specification for this device is 16,500 Mbps FIREWALL IMIX throughput?

is there a 1000Base-T SFP module available for the XGS2100 and would using this improve performance?

Are there any troubleshooting steps that you can suggest ?

or is it generally good practice to avoid 100% utilisation even when other system activity is low, overnight backups etc.

Thanks 



This thread was automatically locked due to age.
  • Hi DDL,

    Thank you for reaching out to Sophos Community.

    Would it be possible to share the case ID for further checking? Thank you

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • does anyone have any suggestions? 

  • Hi,

    As best practice, 100% network interface utilization must be avoided or saturated on one interface.

    Always leave some room for any burst traffic to avoid performance degradation. High traffic loads can cause unexpected spikes.

    Upon checking the case notes, 

    • Noticed that when transferring files of large size, the Interface bandwidth was utilized completely.
    • Leading the other traffic getting queued.

    As noted, throttling to 75% solves the problem.

    For Recommendation/troubleshooting

    As done, implementing traffic shaping/QoS rules can help prioritize critical traffic and avoid congestion issues.

    • Scheduling high-traffic tasks like backups during off-peak hours will help
    • Use monitoring tools to analyze traffic patterns and look for congestion points. This will also give us insights into any potential issues.
    • Connect back to support for any additional queries related to the issue as coordinated with your case handler.
    • As my 2 cents, this would be the ideal maximum theoretical capacity for the throughput specification. However, this can be affected by various factors, including how traffic is distributed across interfaces and how the high load/traffic is being managed. I recommend reaching out to your AM/Sales Partner for Network Optimization.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.