IPSec Site-to-Site and SSL-VPN abysmal performance

Question

Hello, 
 I've never had really good performance in IPsec S2S, and it hasn't really be a bother. But, since times of home office, this is becoming increasingly important. 
 We own a SG125, which should more than cover our needs: 20 users in total, mostly some 15 VPN connections and one S2S tunnel (to free version). 
 However, even on lightest of days, with zero SSL-VPN connections, I have abysmal performance: not more than 10Mbit/s upload or download. The connection in the upload case (remote site to company site) is 25Mbit - limited by the upload-speed on the remote-site. Download speed at the company site is at least 50Mbit. 
 SSL-VPN is also very slow. Things like opening a folder over SMB, copying files, it all goes often in KB/s speeds. 
 Opening folders is sometimes real pain. It does matter what folders contain, but still. Copying alone should be faster. 
 I also did speedtests on both sides, and here I get full speeds. 
 Am I doing something wrong or is the firewall simply "old"?

PhilippRusch · Answer

Hello Costa, 
 Short answer is: No, that SG125 is not "old" and not even undersized for 20 users and 15 remote connections. 
 Long answer: I am sitting in my home office behind much smaller hardware-box, which is runnungi the Sophos "Home" license. 
 My answer time from my office servers is instantly, I open explorer and have the list of folders and files in sub-second. 
 What I guess here from distance, this seems to bee a name-resolution problem. It's always like that, when you have loooong response times from windows servers. 
 Could be DNS, could be WINS or NetBIOS, or a name-caching problem. 
 My advice: try to troubleshoot with nslookup from CMD, disable all IPv6 settings, disable NetBIOS over TCP, check your DNS settings, check routing.

PhilippRusch · Answer

OK, let's assume you followed everything in "Rulz" about DNS settings and did nothing wrong. 
 But testing is about checking and not about assuming... So better check twice :-) 
 You diabled NetBIOS and things got worse. OK, that would tell me that we are on the right track! Maybe a restart of your client would have been better before testing to get rid of anything cached. 
 Next thing is IPv6, do you really "use" this in your setup? you have a name resolution for IPv6 running AND you have a IPv6 tunnel? With a Sophos SG-UTM? I don't think so. 
 So, if you are not using IPv6, then you should disable it. Right away. There is no recommendation from Microsoft to have this turned on in every network. 
 About "speeds": you were talking about two differnet things here. 
 1. Opening network drives and having a slow built-up of the folders list on those drives. This has to do with name-resolution. 
 2. Transfer speed when copying files. this has to do with bandwidth, parallel use with others on that VPN-uplink and many other factors. 
 Did you turn on compression in your IPsec policy? 
 OK - wild guess, since I am on the MTU-size trip today ... did you ever test to reduce your MTU size? 
 For me, this made a HUGE difference in my homeoffice. Before we were nearly unable to work over VPN.

Charlie Sorrell · Answer

Hi Kosta88, 
 
 Try disabling UDP Flood Protection. 
 If performance is improved once disabled, look at implementing exclusions. 
 If you're using TCP for your SSL tunnel, also try disabling TCP flood protection.