Slow Throughput after installing v18 EAP

Hi,

I upgraded from v17.5.8 to v18 EAP about a week ago and noticed a drop in performance and an increased RAM usage.

I do have a XG115 rev2 Appliance installed with the Software  Image and a Home Use License.

My Internet connection is 100/40.

With version 17.5.8 I was able to reach about 80 to 90 Mbit download (I already expected more from the hardware)

After the Upgrade I only reach about 50 to 60 Mbit download. There is no DPI or webfiltering activated and it doesn't matter if i activate IPS or not.

SSL/TLS Inspection is turned on but there are not any rules.

Are there any tweaking options for the software version of Sophos XG running on a HW Appliance?

Thank you!

  •  Could you take a look at this setup?

    __________________________________________________________________________________________________________________

  • same issue on SW appliance. speed is terrible. What I don't understand is how they find it acceptable for it to be so slow, even for testing. I have 400/20 internet and before turning everything off at best I am getting 60Mbps, turning everything off best I can do on a hardwired Gig network is 150 or so. I used to regularly get 400-450. this needs to be fixed quicly. If I go directly to my modem I get full speed so I know this issue is sophos. 

  • J F said:

    same issue on SW appliance. speed is terrible. What I don't understand is how they find it acceptable for it to be so slow, even for testing.

     

    What I don't understand is how people don't understand that they are **testing** an early **test-release** where it is expected to have issues. Also, who told you "they find it acceptable"? Cut them some slack maybe? These tests are done to find and fix issues like this. If you don't want to be affected by issues like these, don't run beta versions. Simple. 

  •  

    testing performance is part of the test that SW houses perform internally (stress and performance tests). If people find a performance issue, it is more than welcome to share their issue specially in beta time. Imagine that no one performs this test and in the GA, people starts to have performance issue on XG 650 or 750.

    I do not understand your comment. We are all here to improve the product and find errors.

    Regards

  • My comment was about the complaining part. "What I don't understand is how they find it acceptable for it to be so slow". That's what I responded to. Of course these issues have to be found, reported on and get a fix. Expecting that issues like that don't exist ("how does Sophos find it acceptable to release something like that") is an utterly wrong expectation. 

  • The point is, even the Release post mentions: 

    • The firmware is continually being tuned for performance. Expect to see faster speeds in future builds.

     

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-eap1_5f00_refresh1-firmware-has-been-released

     

    But i am not quite on the same page for the speed tests. 

    Currently, my XG125 with Firewall Policy + SSLx Rule (without IPS Rule) reaches my 26 mb/s on Downloads. 

    My WAN Connection is 250 mbit/s (cable, so may vary much). 

     

    Some "IPS" related information.

    If you enable IPS, it may get better performance, if you test multiple downloads at the same time. 

    With LAN to WAN, i get round about 21 mb/s across 4 Downloads. 

    Depending on the Downloader software. 

    Taking a look at browsers, i get round about 21mb/s of 4 downloads.

    Other Software (like Steam) i get 26mb/s on downloads with one single donwload. I am not aware of the download method of Steam, so i cannot comment on that. 

    __________________________________________________________________________________________________________________

  • LuCar Toni said:

    But i am not quite on the same page for the speed tests. 

    Currently, my XG125 with Firewall Policy + SSLx Rule (without IPS Rule) reaches my 26 mb/s on Downloads. 

     

    Thanks Luca for sharing your performance. At least we have a reference to start from. Performance in your case is very bad! I hope a NC for tracing performance issue will come out from devs.

    Regards

  • Hi  , you are generally correct that multi-threaded download will yield better results when downloading. However some users are reporting 100 percent usage by snort. This should not happen on a simple speed test. If it is happening, then either the hardware is too slow or something else is wrong since when you put the same hardware in a multi user environment, your appliance will become a bottleneck fairly quickly.

    Regards

  • Forgot to mention my WAN Connection. Corrected in my earlier post. 

    __________________________________________________________________________________________________________________

  • Hello All. I did some quick and dirty tests at home this evening to check that behaviour on my XG125. While LuCar Toni wrote it correctly, DPI is still under development and there's surely space upwards until GA to get some bottlenecks optimized to reach different speeds than today via DPI.

    However I assume many people are testing their web speeds (http/https), which at least in case of HTTPS is not fully offloadable to FastPath due en-, and decryption in the DPI engine. However other connections as for example a copying a large file with a cient in client network from a network share in the server network via XG firewall should get offloaded and reach linespeeds.

    I tested this today, and it seems, that offloadable connections gets marked correctly in conntrack as offloaded, but speed is still capped to ~peak throughput the DPI engine offers on that device (in my case ~60Mbit with the XG125). So I'm not sure, if in EAP1 or at least EAP1 Refresh 1 VFP offloading probably accidentially got broken, or if it maybe got disabled for whatever reason in that release(s).

    However:

    With firewall-acceleration (offloading) disabled it get in speedtest.net ~60 MBit/s downstream, with firewall-acceleration enabled too. That was expected, as the connection is only partly offloaded but still passing through DPI due HTTPS de-, and encryption.

    With firewall-acceleration (offloading) disabled it get for my filecopy from a SMB share via firewall 9MByte/s, with firewall-acceleration enabled too. That was unexpected, as the connection is marked as offloaded in conntrack, and should reach linespeed (or at least ~80-90MByte/s, which my NAS should be capable to deliver.)

    So it looks for me, that the VFP offloading process in that release probably isn't working as expected.

     

    Some conntrack examples with firewall-acceleration enabled and disabled for the SMB connection to the network share

    system firewall-acceleration enable

    XG125_XN02_SFOS 18.0.0 EAP1-Refresh1# conntrack -L | grep -i orig-dport=445

    proto=tcp      proto-no=6 timeout=10800 state=ESTABLISHED orig-src=192.168.20.215 orig-dst=192.168.10.11 orig-sport=49794 orig-dport=445 packets=85888 bytes=3923517 reply-src=192.168.10.11 reply-dst=192.168.20.215 reply-sport=445 reply-dport=49794 packets=147599 bytes=220884992 [ASSURED] mark=0x0 use=3 id=1733477632 masterid=0 devin=Port1.53 devout=Port3 nseid=404 ips=0 sslvpnid=0 webfltid=0 appfltid=1 icapid=0 policytype=2 fwid=15 natid=0 fw_action=1 bwid=0 appid=10203 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x3 inzone=1 outzone=1 devinindex=22 devoutindex=7 hb_src=8 hb_dst=0 flags0=0x8000a200008 flags1=0xd004804000 flagvalues=3,21,25,27,43,78,87,90,100,102,103 catid=0 user=78 luserid=38 usergp=65 hotspotuserid=0 hotspotid=0 dst_mac=00:1a:8c:48:75:d8 src_mac=30:24:32:ee:e5:58 startstamp=1572892018 microflowid[0]=78 microflowrev[0]=37 microflowid[1]=241 microflowrev[1]=54 hostrev[0]=4 hostrev[1]=4 ipspid=0 diffserv=0 loindex=7 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=2546 current_state[1]=2546 vlan_id=0 inmark=0x0 brinindex=0 sessionid=1477 sessionidrev=9123 session_update_rev=5 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=15 nhop_id[1]=6 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=18446612138342663424 conn_fp_rev=0

    system firewall-acceleration disable

    XG125_XN02_SFOS 18.0.0 EAP1-Refresh1# conntrack -L | grep -i orig-dport=445

    proto=tcp      proto-no=6 timeout=10786 state=ESTABLISHED orig-src=192.168.20.215 orig-dst=192.168.10.11 orig-sport=50039 orig-dport=445 packets=145 bytes=24482 reply-src=192.168.10.11 reply-dst=192.168.20.215 reply-sport=445 reply-dport=50039 packets=130 bytes=49211 [ASSURED] mark=0x0 use=1 id=1536525888 masterid=0 devin=Port1.53 devout=Port3 nseid=2 ips=0 sslvpnid=0 webfltid=0 appfltid=1 icapid=0 policytype=2 fwid=15 natid=0 fw_action=1 bwid=0 appid=10203 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x3 inzone=1 outzone=1 devinindex=22 devoutindex=7 hb_src=8 hb_dst=0 flags0=0x8000a200008 flags1=0x1004800000 flagvalues=3,21,25,27,43,87,90,100 catid=0 user=78 luserid=38 usergp=65 hotspotuserid=0 hotspotid=0 dst_mac=00:1a:8c:48:75:d8 src_mac=30:24:32:ee:e5:58 startstamp=1572892496 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=7 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=2548 current_state[1]=2548 vlan_id=0 inmark=0x0 brinindex=0 sessionid=439 sessionidrev=43149 session_update_rev=5 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=15 nhop_id[1]=6 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED