Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 36 replies
  • Answers 1 answer
  • Subscribers 53 subscribers
  • Views 185041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSEC Extremely Slow

ChrisWestmacott

I have an IPSEC tunnel established between two sites that are within 30ft of each other (the buildings are next door).  Both sites get 100Mbps down / 10 Mbps up.  I setup an IPSEC tunnel between both sites using the default configuration of DefaultHeadOffice and DefaultBranchOffice in the IPSEC settings.  I have policies allowing LAN to VPN and VPN to LAN.  Everything is all pretty basic.

Once I setup the tunnel, I tried to do a simple file transfer of one 20MB file between a branch workstation and a server at Head Office.  It transferred the file at a speed of 0.7Mbps.  Considering both sites get 10Mbps upload, and given some overhead for the VPN tunnel, I would expect the speeds to be at least 7 or 8 Mbps, not 0.7....  Does anyone else have any experiences of insanely slow site-to-site IPSEC tunnels or have any recommendations?

The Head Office has an XG125 and remote office has an XG105 running MR2.  Both are at 50% memory usage and between 0-10% CPU usage.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to JohnSmock

    Hi John,

    This command will not work on anything other than a Software, Virtual or XG125 appliance to my knowledge as the other appliances do not have the hardware_acceleration feature.  I think you are best to pursue the RED tunnels, I still have had my fair share of issues with the IPsec VPNs on XG appliances and have had better luck / performance with SSL S2S or RED S2S tunnels.  Disabling PFS is as simple as changing your Phase 2 DH Group to None, I do believe with removing PFS some security will be lost.

    Thanks,
    Hugh

  • 0 in reply to hjherron6

    The Command is supported on XG 125, XG 135 and XG 750. All other Appliances do not support this command, because it's related on the type of CPU which is built in whether this command is supported or not.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • 0 in reply to HuberChristian

    I see the case ID 6009528, is closed in October. I believe you have another case open with support. Can you DM me the case# so that I can monitor it and push my team towards it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hard to believe that disabling PFS "fixes" this issue.
    PFS is only used on rekeying, which happens only once per hour , or even less frequent

Unfiltered HTML