Thread Info
  • Replies 0 replies
  • Subscribers 28 subscribers
  • Views 15871 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshoot VPN speed

taowang

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Overview

This article explains network speed, how to achieve high VPN speed, and how to troubleshoot slow VPN speed. It applies to all VPN types, such as remote access and site-to-site IPsec/SSL VPN.

Facts about network speed

Network speed between two hosts is determined by the following:

  • Bandwidth between two hosts: Bandwidth is the maximum speed that can be achieved with zero latency and zero packet loss.
  • Latency of the links between two hosts: Latency reduces network speed, even if it's only 1 ms.
  • Packet loss on the links between two hosts: Packet loss triggers TCP retransmission and reduces speed.

Facts about SMB transfer speed

SMB and Windows File Share are sensitive to latency and packet loss. Testing the speed in HTTP/S or FTP is recommended, not in SMB.

The following speed test was done in a 1.0 Gbps link with zero packet loss:

  • Less than 1 ms latency: SMB speed is 247 Mb/s.
  • 5 ms latency: SMB speed is 18Mb/s.
  • 10 ms latency: SMB speed is 10.6Mb/s.
  • 15 ms latency: SMB speed is 8.32Mb/s.

In comparison, the HTTP transfer speed can reach 51.2 Mb/s on a link with 15 ms latency and zero packet loss.

Achieve high VPN speed

VPN speed is always lower than the network speed due to the delay caused by packet encryption/decryption.

VPN connection is sensitive to packet loss. Packet loss that's higher than 2% reduces VPN speed drastically.

To achieve high VPN speed, make sure of the following:

  1. There's zero packet loss and low network latency between the WAN IP of the firewalls.

    To check the packet loss and network latency between the local firewall and the remote firewall WAN IP, do as follows:

    1. Sign in to the CLI console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.
    3. Run the following command:

      ping -a <SophosFirewall_WAN_IP> <REMOTE_WAN_IP> -s 1200 -c 50

      This command sends 50 ping requests from the specified Sophos Firewall WAN IP to the remote firewall WAN IP with an ICMP data payload of 1200 bytes.

  2. There’s zero packet loss and low network latency between the firewall LAN IP and the endpoint devices.

    To check the packet loss and network latency between the firewall LAN IP and the endpoint devices, do as follows:

    1. Do a ping from firewall #1 LAN IP to computer #1.
    2. Do a ping from firewall #2 LAN IP to computer #2.

  3. Test the VPN speed between computer #1 and computer #2 using ping or a file download.

    Note: Don't ping from the firewall LAN IP to the computer in the remote VPN network. The firewall LAN IP might not be in the VPN local/remote network, which causes ping failure.

Troubleshoot slow VPN speed

To troubleshoot slow VPN speed, do as follows:

  • Check if the VPN connection is used by any unexpected traffic.
  • Make sure that the speed and duplex mode of the NIC on computers, firewalls, and every involved network device are correct.
  • Check if slow speed happens to a specific computer or all computers. It helps to find out if slow speed is caused by a specific network device.
  • During speed tests, ensure that antivirus and host IPS are turned off on computers. Make sure to turn them on after the tests.
  • Check if Sophos Firewall causes the slow speed.

    To do this, do any of the following and test:

    • Create new firewall rules for inbound and outbound VPN traffic with all scanning turned off and position these at the top.





    • Turn off SSL/TLS engine:

      1. Go to Rules and policies > SSL/TLS inspection rules and click SSL/TLS inspection settings.
      2. Click Advanced settings and select Disabled from the SSL/TLS engine drop-down.
      3. Click Save.

        Note: Make sure to turn it on after troubleshooting.

    • Turn off Sophos X-Ops threat feeds (Advanced threat protection):

      • Go to Active threat responseSophos X-Ops threat feeds (Advanced threat protection) and turn off Sophos X-Ops threat feeds.

        Note: Make sure to turn it on after troubleshooting.

    • Turn off firewall-acceleration:

      1. Sign in to the CLI console.
      2. Type 4 to select Device Console.
      3. Run the following command:

        system firewall-acceleration disable

      4. Verify if firewall-acceleration is turned off. Run the following command:

        system firewall-acceleration show

        The result must be as follows:

        Firewall Acceleration is Disabled in Configuration.
        Firewall Acceleration is Unloaded.

    • Check if the CPU is overloaded:

      • Go to Diagnostics > System graphs and check the CPU Idle.

        If the CPU Idle is less than 20%, it's overloaded.

        The following example shows that the CPU isn't overloaded because Idle is 73.79%.

Edition history

2024-04-03: Revamped the article. Updated Active threat response. Updated the screenshots.

2023-01-03: Update ping command for different Sophos Firewall OS version. Thanks to Marlone Raphael Alganes

2022-10-25: First version

______________________________________________________________________________________________________________________________________



Updated "Achieve high VPN speed" section.
[edited by: DominicRemigio at 7:51 AM (GMT -7) on 4 Apr 2024]
Unfiltered HTML