Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 28 subscribers
  • Views 21042 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshoot VPN speed

taowang

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This recommended read explains network speed, how to achieve high VPN speed, and how to troubleshoot slow VPN speed. It applies to all VPN types, such as remote access and site-to-site IPsec/SSL VPN.

Facts about network speed

Network speed between two hosts is determined by the following:

  • Bandwidth between two hosts: The maximum speed is achieved with zero latency and zero packet loss.
  • Latency of the links between two hosts: Even if it's only 1 ms, latency reduces network speed.
  • Packet loss on the links between two hosts triggers TCP retransmission and reduces speed.

Facts about SMB transfer speed

SMB and Windows File Share are sensitive to latency and packet loss. Testing the speed in HTTP/S or FTP is recommended, not in SMB.

The following speed test was done in a 1.0 Gbps link with zero packet loss:

  • Less than 1 ms latency: SMB speed is 247 Mb/s.
  • 5 ms latency: SMB speed is 18Mb/s.
  • 10 ms latency: SMB speed is 10.6Mb/s.
  • 15 ms latency: SMB speed is 8.32Mb/s.

The HTTP transfer speed can reach 51.2 Mb/s on a link with 15 ms latency and zero packet loss.

Achieve high VPN speed

VPN speed is always lower than the network speed due to the delay caused by packet encryption/decryption.

The VPN connection is sensitive to packet loss. Packet loss of more than 2% drastically reduces the VPN speed.

To achieve high VPN speed, make sure of the following:

  1. There's zero packet loss and low network latency between the WAN IP of the firewalls.

    To check the packet loss and network latency between the local firewall and the remote firewall WAN IP, do as follows:

    1. Sign in to the CLI console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.
    3. Run the following command:

      ping -a <SophosFirewall_WAN_IP> <REMOTE_WAN_IP> -s 1200 -c 50

      This command sends 50 ping requests from the specified Sophos Firewall WAN IP to the remote firewall WAN IP with an ICMP data payload of 1200 bytes.

  2. There’s zero packet loss and low network latency between the firewall LAN IP and the endpoint devices.

    To check the packet loss and network latency between the firewall LAN IP and the endpoint devices, do as follows:

    1. Do a ping from firewall #1 LAN IP to computer #1.
    2. Do a ping from firewall #2 LAN IP to computer #2.

  3. Test the VPN speed between computer #1 and computer #2 using ping or a file download.

    Note: Don't ping from the firewall LAN IP to the computer in the remote VPN network. The firewall LAN IP might not be in the VPN local/remote network, which causes ping failure.

Troubleshoot slow VPN speed

To troubleshoot slow VPN speed, do as follows:

  • Check if any unexpected traffic uses the VPN connection.
  • Make sure that the speed and duplex mode of the NIC on computers, firewalls, and every involved network device are correct.
  • Check if slow speed occurs on a specific computer or all computers. It can also help to determine if slow speed is caused by a specific network device.
  • During speed tests, ensure that antivirus and host IPS are turned off on computers. Make sure to turn them on after the tests.
  • Check if Sophos Firewall causes the slow speed.

    To do this, do any of the following and test:

    • Create new firewall rules for inbound and outbound VPN traffic with all scanning turned off and position these at the top.





    • Turn off the SSL/TLS engine:

      1. Go to Rules and Policies> SSL/TLS inspection rules and click SSL/TLS inspection settings.
      2. Click Advanced settings and select Disabled from the SSL/TLS engine drop-down.
      3. Click Save.

        Note: Make sure to turn it on after troubleshooting.

    • Turn off Sophos X-Ops threat feeds (Advanced threat protection):

      • Go to Active threat responseSophos X-Ops threat feeds (Advanced threat protection) and turn off Sophos X-Ops threat feeds.

        Note: Make sure to turn it on after troubleshooting.

    • Turn off firewall-acceleration:

      1. Sign in to the CLI console.
      2. Type 4 to select Device Console.
      3. Run the following command:

        system firewall-acceleration disable

      4. Verify if firewall-acceleration is turned off. Run the following command:

        system firewall-acceleration show

        The result must be as follows:

        Firewall Acceleration is Disabled in Configuration.
        Firewall Acceleration is Unloaded.

    • Check if the CPU is overloaded:

      • Go to Diagnostics > System graphs and check the CPU Idle.

        If the CPU Idle is less than 20%, it's overloaded.

        The following example shows that the CPU isn't overloaded because Idle is 73.79%.



Revamped RR
[edited by: Erick Jan at 9:07 AM (GMT -7) on 17 Sep 2024]
Unfiltered HTML