Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSEC Extremely Slow

I have an IPSEC tunnel established between two sites that are within 30ft of each other (the buildings are next door).  Both sites get 100Mbps down / 10 Mbps up.  I setup an IPSEC tunnel between both sites using the default configuration of DefaultHeadOffice and DefaultBranchOffice in the IPSEC settings.  I have policies allowing LAN to VPN and VPN to LAN.  Everything is all pretty basic.

Once I setup the tunnel, I tried to do a simple file transfer of one 20MB file between a branch workstation and a server at Head Office.  It transferred the file at a speed of 0.7Mbps.  Considering both sites get 10Mbps upload, and given some overhead for the VPN tunnel, I would expect the speeds to be at least 7 or 8 Mbps, not 0.7....  Does anyone else have any experiences of insanely slow site-to-site IPSEC tunnels or have any recommendations?

The Head Office has an XG125 and remote office has an XG105 running MR2.  Both are at 50% memory usage and between 0-10% CPU usage.

This thread was automatically locked due to age.
  • Hi Chris,

    Take SSH to XG and go to option 5.> 3. Advance Shell. Type:

    cd /log

    tail -f ips.log

    Upload a file and monitor if something is dropped in the IPS logs. If there is no drop try changing the MSS value on the LAN and WAN interfaces to a lesser value. 

    Awaiting response.


    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    I checked the logs as you asked while running a file transfer, and nothing was being dropped in the IPS log.

    Regarding the MSS setting, I tried lowering it from 1460 to 1300 on both ends (HQ and Branch) for the LAN interface and the WAN interface.  It did not make a difference.

    Any other ideas why the IPSEC VPN speeds are so slow?  This is fairly business-critical as no one can transfer any files between the branch office or HQ with the current speeds.  It is about 10-12 times slower than it should be.  I have no restrictions or throttling in place on either the LAN to VPN or VPN to LAN policies on either end.

  • Hi Chris,

    Wonderful! Provide us some time to recreate the instance and get back to you. You can also provide me the ticket# to look into the case if any progress is paused.


    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

    Thank you.  The ticket number is 6009528.



  • Just to be clear:

    - Both offices are within 30ft of each other and have a latency of 15ms

    - One office has an XG125, the other has an XG105.

    - On the XG105 end, a L2 switch connects to port 1 and all devices plug into the L2 switch

    - On the XG125 end, a L2 switch connects to port 1 and all devices plug into the L2 switch

    - This has been tested with a workstation directly connected to port 1 instead of the switch; same results

    - I have tested different MSS on both sides for the LAN and WAN interfaces.  I have not tweaked MTU.

    - I have tried disabling compression and PFS

    - I have tried setting up the following phase 1 AND phase 2 negotiations and the speeds were slow in each one:

         - DES / MD5

         - 3DES / MD5

         - AES128 / MD5

         - AES128 / SHA1

         - AES128 / SHA256

         - AES256 / SHA256

    - I have tried most of the DH groups.

  • And both offices get 120 Mbps down / 10 Mbps up.

    Speeds through IPSEC tunnel:

    Read: 0.72Mbps
    Write: 0.70Mbps

    Speeds through SSL VPN tunnel:

    Read: 9.8Mbps
    Write: 9.8Mbps

  • Hey Sachin,

    I am experiencing the same issue as Chris.  However I am having a hard time setting up an SSL Site to Site because the documentation is pretty brutal...

    I have had 2 sophos xg firewalls for about 6 months and they have been miserable speed wise.  

    Our main site is an XG135 with a voice server and 100/50mbps bandwidth.  Our satellite office across the street has an xg 115 with VoIP phones and 100/50mbps bandwidth.

    Latency is all over the map and file transfers over the VPN are miserable.  Everything to the internet is working perfectly.

    Can you point me in the direction of help?

  • Update: Sophos is still working on my ticket.  It sounds like they were able to replicate the horrible speed issue with using IPSEC Site to Site tunnels, but have not been able to find a workaround yet.

  • Hi Sachin,

    Can you provide an update on this issue?  I am currently experiencing this exact problem with an IPsec configuration using Branch and Headoffice policies.  Everything asked in this article has been done.  Speeds between sites are capable of 30Mbps but I am only seeing about 2Mbps.  I have a fail over setup with a P2P connection and don't really wan't to migrate away from the IPsec.

    Thank you,

  • Hi Jim,

    Please post me the link for SSL S2S KBA and what is the residing firmware version on XG?


    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • ChrisWestmacott said:

    Update: Sophos is still working on my ticket.  It sounds like they were able to replicate the horrible speed issue with using IPSEC Site to Site tunnels, but have not been able to find a workaround yet.



    Hi ChrisWestmacott,


    Any update from Sophos  ? :)

  • Hi

    there are any updates from the support?

    Thank you.


Reply Children
  • I am also curious as to what support has to say on this.  What are some speeds that others are getting from Site to Site Ipsec tunnels and SSL VPN Tunnels?  

  • Hi Thomas,

    Please DM us the case ID so we may check the issue, we would require our support to investigate this issue.


    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Our issue turned out to be HA MTU based. We're using a simple router to handle VDSL for a HA configuration. We had to reduce the MTU on the Sophos WAN ports that connect to that router. We'd moved to Site to Site SSL VPNs that worked around the performance issue, but now they're back on IPSEC they're working fine.

  • Hello,

    I have posted a few weeks ago about IPSec speed being slower than expected (240 Mbps) on 1Gbps link.  My conclusion was that Sophos isn't using the AES-NI encryption chip when it is available, but no one could confirm this.  My tests were between software Sophos XG residing on VMs under ESXi 6.7, and also a XG 125 rev3 appliance.  I tested the same architecture between 2 pfSense VMs and with AES-NI active and I could get around 1Gbps (out of 5.5 Gbps of max bandwitdh on the virtual switch), and around 320 Mbps when AES-NI was deactivated.

    Now I am testing the same IPSec performance between an XG 105 and 115 (bot rev3) in a private lab with 1Gbps link, and the max throughput I can get with the standard HQ/Branch policy is ~100Mbps for an Site-To-Site IPSec VPN.  Again, I am very concerned about Sophos not offloading to the AES-NI encryption cpu.