This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-to-Site and SSL-VPN abysmal performance

Hello,

I've never had really good performance in IPsec S2S, and it hasn't really be a bother. But, since times of home office, this is becoming increasingly important.

We own a SG125, which should more than cover our needs: 20 users in total, mostly some 15 VPN connections and one S2S tunnel (to free version).

However, even on lightest of days, with zero SSL-VPN connections, I have abysmal performance: not more than 10Mbit/s upload or download. The connection in the upload case (remote site to company site) is 25Mbit - limited by the upload-speed on the remote-site. Download speed at the company site is at least 50Mbit.

SSL-VPN is also very slow. Things like opening a folder over SMB, copying files, it all goes often in KB/s speeds.

Opening folders is sometimes real pain. It does matter what folders contain, but still. Copying alone should be faster.

I also did speedtests on both sides, and here I get full speeds.

Am I doing something wrong or is the firewall simply "old"?



This thread was automatically locked due to age.
  • Hello Costa,

    Short answer is: No, that SG125 is not "old" and not even undersized for 20 users and 15 remote connections.

    Long answer: I am sitting in my home office behind much smaller hardware-box, which is runnungi the Sophos "Home" license.

    My answer time from my office servers is instantly, I open explorer and have the list of folders and files in sub-second.

    What I guess here from distance, this seems to bee a name-resolution problem. It's always like that, when you have loooong response times from windows servers.

    Could be DNS, could be WINS or NetBIOS, or a name-caching problem.

    My advice: try to troubleshoot with nslookup from CMD, disable all IPv6 settings, disable NetBIOS over TCP, check your DNS settings, check routing.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I would be inclined to dismiss the DNS problem at once first, really. But at this point I'll look at anything.

    I remember setting up DNS according to Rulz and what I read about configuring Sophos UTM.

    It's not always about opening folders. For instance, now, they are opening instant, and I am on the s2s tunnel only. Nobody else.

    Can name resolution really be something impacting the transfer speeds though?

    Also a weird thing is, the transfer is very unstable: changing speed a lot. When looking at the diagram in task manager, it's a mess - up down up down.

    Btw. doing nslookup: what should I do with it exactly? Doing NS query returns the non-authoritative DNS, which is in the company (if doing from the remote, authoritative if doing in the company's network)... doing type=a, same... doing nslookup some server, no problem. I don't see anything wrong, everything returns inside of a milisecond.

    WINS is not installed, and NETBios default setting has not be changed. I disabled NETBios on my client, that didn't change a thing. I have a feeling that it even made it worse.

    Disable IPv6? That is completely against any other recommendation out there, even Microsoft itself, and could lead to network connectivity problems??

    What speeds should I be expecting?

  • OK, let's assume you followed everything in "Rulz" about DNS settings and did nothing wrong.

    But testing is about checking and not about assuming... So better check twice :-)

    You diabled NetBIOS and things got worse. OK, that would tell me that we are on the right track! Maybe a restart of your client would have been better before testing to get rid of anything cached.

    Next thing is IPv6, do you really "use" this in your setup? you have a name resolution for IPv6 running AND you have a IPv6 tunnel? With a Sophos SG-UTM? I don't think so.

    So, if you are not using IPv6, then you should disable it. Right away. There is no recommendation from Microsoft to have this turned on in every network.

    About "speeds": you were talking about two differnet things here.

    1. Opening network drives and having a slow built-up of the folders list on those drives. This has to do with name-resolution.

    2. Transfer speed when copying files. this has to do with bandwidth, parallel use with others on that VPN-uplink and many other factors.

    Did you turn on compression in your IPsec policy?

    OK - wild guess, since I am on the MTU-size trip today ... did you ever test to reduce your MTU size?

    For me, this made a HUGE difference in my homeoffice. Before we were nearly unable to work over VPN.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • OK, first I'll see to reboot everything and "measure" then.

    IPv6: no, I am not using IPv6 at all. But I remember reading that IPv6 functionality should not be turned off. I also remember doing that with one of our customers, and then not being able to reach the server any more. But as I said, I will try it out.

    Opening folders and network drives is (sometimes) very slow if (all) my users are online. When no-one is online, like now, it's fine. 

    Copying files: yes, this is what is slow, and where bandwidth shouldn't play a role. As I said, I would expect to reach full, or almost full 25mbit from my computer, as that is a speedtest full upload speed. I think I have to do some more tests, like Sunday morning or something, when I get full stable bandwidth on both sides.

    Compression on the IPSEC tunnel is not used.

    MTU: no, I did not. That might be a thing worth looking at first maybe? I see it's default 1500 on each interface. Never changed those. How do I go about that?

    EDIT:

    Here you go:

    Configure IPv6 for advanced users - Windows Server | Microsoft Docs

     Important

    IPv6 is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function.

  • Hello Kosta,

    last try before I give up: it is true that there are some serviecs on windows server systems that are bound to IPv6 as a default.

    For instance on Windows SBS 2011, which is EOL. Some Exchnage Server had a preference for IPv6 interfaces, when they were configured when you did the first time install of Exchange. Changing this later causes a lot of funny troubles.

    But: you can always use IPv4 only, believe me or not. You don't need IPv6 on any external interface of a modern windows server or client if you don't actively use it. That means having a complete network configured for IPv6. This does not mean disabling the IPv6 service at all. Leave it like it is, that's fine.

    I have some 50 customer sites, which don't use IPv6 at all and of course don't have it configured on their systems. They have superfast IPv4 / clean DNS / no NetBIOS networks instead. :-)

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hallo guys,

    I'm not a fan of the 125 for 20 people in high-usage situations.  I suspect that the real problem here is that the 125 is overwhelmed by so much SSL VPN activity and that the IPsec site-to-site is not an issue.  I would fist try to replace the resource-intensive SSL VPN remote access with L2TP/IPsec or (my preference) the Sophos Connect client with IPsec remote access.

    If you're considering a faster internet connection, I would consider moving up to an SG 135 as it has a processor that's almost 50% faster and has twice the number of cores.

    If you're considering 500Mbps, I would consider a software license for 25 users and a small server with a 4-core-or-more processor that's 3.5GHz or faster.

    Any better luck after switching from SSL VPN remote access?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Kosta88,

    Try disabling UDP Flood Protection.

    If performance is improved once disabled, look at implementing exclusions.

    If you're using TCP for your SSL tunnel, also try disabling TCP flood protection.