Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 10 subscribers
  • Views 2104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC performance

Zim

Hi,

We've got a cluster of UTM450's and UTM310's that have an IPSEC tunnel between them. The link is 1gbps, and we've verified we can get 1gbps over a single TCP stream. The IPSEC tunnel is capped at 500mbits though and can't go any higher. We've tested with some cheap Mikrotik routers and have achieved 800mbits. 

I've tested with IPS, Advanced Security, Wifi, etc disabled on both clusters and there has been no difference to performance. 

I've had a ticked open with Sophos support for a couple of months and now the tier 3/developer support are telling me 500mbits is the cap. 

Has anyone been able to get better than 500mbits IPSEC performance from a UTM? 

Thanks in advance.



This thread was automatically locked due to age.
  • 0

    Hello Mark,

    Thank you for contacting the Sophos Community!

    Could you please share the Case ID!

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    The reference is [ ref:_00D301GN6a._5003Z18HRNF:ref ]. Overnight it has been escalated to a number of teams, but I thought that someone might be able to confirm they've achieved those speeds with a UTM.

    Thanks,

    Mark

  • 0

    Hi Mark - first post? - welcome to the UTM Community!

    Haven't tried, but at least let's look at some things.  Please show a picture of the Edit of the IPsec Policy you're using.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob, thanks for the welcome and for your help. We have tried a couple of policy combinations, but not extensively. Our current configuration is below:

    Initiating site (SG310 Rev 1,  firmware 9.705-3, pattern 192986):

              

    Receiving site (SG450 Rev 1,  firmware 9.705-3, pattern 192986):

             

    Many thanks for your help,

    Mark

  • 0 in reply to Sophos User3526

    Hello Mark,

    Thank you for the Reference, actually, Case ID is 03269472

    I can see this was escalated to DEV and is being investigated under NUTM-12421

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to Zim

    At least you started with the best choice for speed among the standard policies.  I believe the processors in both units support AES-NI, so create a new Policy that uses "AES 128 GCM 128-bit)" for IPsec encryption.  I prefer to also use PFS when only using 128-bit encryption, so I would clone the "AES-128 PFS" Policy and make the new one look like:

    What's your throughput with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob. Thanks for the suggestion. Using iperf3, 20 threads to push the link, I'm seeing a touch under 500mbits:

    [ ID] Interval Transfer Bandwidth
    [ 4] 0.00-30.00 sec 89.6 MBytes 25.1 Mbits/sec sender
    [ 4] 0.00-30.00 sec 89.4 MBytes 25.0 Mbits/sec receiver
    [ 6] 0.00-30.00 sec 91.4 MBytes 25.5 Mbits/sec sender
    [ 6] 0.00-30.00 sec 91.2 MBytes 25.5 Mbits/sec receiver
    [ 8] 0.00-30.00 sec 88.1 MBytes 24.6 Mbits/sec sender
    [ 8] 0.00-30.00 sec 88.0 MBytes 24.6 Mbits/sec receiver
    [ 10] 0.00-30.00 sec 99.1 MBytes 27.7 Mbits/sec sender
    [ 10] 0.00-30.00 sec 98.9 MBytes 27.7 Mbits/sec receiver
    [ 12] 0.00-30.00 sec 88.8 MBytes 24.8 Mbits/sec sender
    [ 12] 0.00-30.00 sec 88.6 MBytes 24.8 Mbits/sec receiver
    [ 14] 0.00-30.00 sec 45.1 MBytes 12.6 Mbits/sec sender
    [ 14] 0.00-30.00 sec 44.9 MBytes 12.5 Mbits/sec receiver
    [ 16] 0.00-30.00 sec 92.1 MBytes 25.8 Mbits/sec sender
    [ 16] 0.00-30.00 sec 91.9 MBytes 25.7 Mbits/sec receiver
    [ 18] 0.00-30.00 sec 92.6 MBytes 25.9 Mbits/sec sender
    [ 18] 0.00-30.00 sec 92.4 MBytes 25.8 Mbits/sec receiver
    [ 20] 0.00-30.00 sec 95.0 MBytes 26.6 Mbits/sec sender
    [ 20] 0.00-30.00 sec 94.8 MBytes 26.5 Mbits/sec receiver
    [ 22] 0.00-30.00 sec 94.1 MBytes 26.3 Mbits/sec sender
    [ 22] 0.00-30.00 sec 94.0 MBytes 26.3 Mbits/sec receiver
    [ 24] 0.00-30.00 sec 41.4 MBytes 11.6 Mbits/sec sender
    [ 24] 0.00-30.00 sec 41.2 MBytes 11.5 Mbits/sec receiver
    [ 26] 0.00-30.00 sec 30.2 MBytes 8.46 Mbits/sec sender
    [ 26] 0.00-30.00 sec 30.0 MBytes 8.40 Mbits/sec receiver
    [ 28] 0.00-30.00 sec 103 MBytes 28.7 Mbits/sec sender
    [ 28] 0.00-30.00 sec 102 MBytes 28.6 Mbits/sec receiver
    [ 30] 0.00-30.00 sec 37.1 MBytes 10.4 Mbits/sec sender
    [ 30] 0.00-30.00 sec 37.0 MBytes 10.3 Mbits/sec receiver
    [ 32] 0.00-30.00 sec 101 MBytes 28.1 Mbits/sec sender
    [ 32] 0.00-30.00 sec 100 MBytes 28.1 Mbits/sec receiver
    [ 34] 0.00-30.00 sec 38.5 MBytes 10.8 Mbits/sec sender
    [ 34] 0.00-30.00 sec 38.3 MBytes 10.7 Mbits/sec receiver
    [ 36] 0.00-30.00 sec 88.0 MBytes 24.6 Mbits/sec sender
    [ 36] 0.00-30.00 sec 87.8 MBytes 24.6 Mbits/sec receiver
    [ 38] 0.00-30.00 sec 91.8 MBytes 25.7 Mbits/sec sender
    [ 38] 0.00-30.00 sec 91.6 MBytes 25.6 Mbits/sec receiver
    [ 40] 0.00-30.00 sec 103 MBytes 28.7 Mbits/sec sender
    [ 40] 0.00-30.00 sec 103 MBytes 28.7 Mbits/sec receiver
    [ 42] 0.00-30.00 sec 91.4 MBytes 25.5 Mbits/sec sender
    [ 42] 0.00-30.00 sec 91.2 MBytes 25.5 Mbits/sec receiver
    [SUM] 0.00-30.00 sec 1.56 GBytes 447 Mbits/sec sender
    [SUM] 0.00-30.00 sec 1.56 GBytes 446 Mbits/sec receiver

    The reverse is a touch faster:

    [ ID] Interval Transfer Bandwidth
    [ 4] 0.00-30.00 sec 93.4 MBytes 26.1 Mbits/sec sender
    [ 4] 0.00-30.00 sec 93.3 MBytes 26.1 Mbits/sec receiver
    [ 6] 0.00-30.00 sec 81.2 MBytes 22.7 Mbits/sec sender
    [ 6] 0.00-30.00 sec 81.2 MBytes 22.7 Mbits/sec receiver
    [ 8] 0.00-30.00 sec 88.9 MBytes 24.9 Mbits/sec sender
    [ 8] 0.00-30.00 sec 88.8 MBytes 24.8 Mbits/sec receiver
    [ 10] 0.00-30.00 sec 102 MBytes 28.6 Mbits/sec sender
    [ 10] 0.00-30.00 sec 102 MBytes 28.6 Mbits/sec receiver
    [ 12] 0.00-30.00 sec 93.1 MBytes 26.0 Mbits/sec sender
    [ 12] 0.00-30.00 sec 93.0 MBytes 26.0 Mbits/sec receiver
    [ 14] 0.00-30.00 sec 91.9 MBytes 25.7 Mbits/sec sender
    [ 14] 0.00-30.00 sec 91.8 MBytes 25.7 Mbits/sec receiver
    [ 16] 0.00-30.00 sec 43.4 MBytes 12.1 Mbits/sec sender
    [ 16] 0.00-30.00 sec 43.3 MBytes 12.1 Mbits/sec receiver
    [ 18] 0.00-30.00 sec 91.4 MBytes 25.6 Mbits/sec sender
    [ 18] 0.00-30.00 sec 91.4 MBytes 25.6 Mbits/sec receiver
    [ 20] 0.00-30.00 sec 105 MBytes 29.4 Mbits/sec sender
    [ 20] 0.00-30.00 sec 105 MBytes 29.4 Mbits/sec receiver
    [ 22] 0.00-30.00 sec 81.2 MBytes 22.7 Mbits/sec sender
    [ 22] 0.00-30.00 sec 81.2 MBytes 22.7 Mbits/sec receiver
    [ 24] 0.00-30.00 sec 87.4 MBytes 24.4 Mbits/sec sender
    [ 24] 0.00-30.00 sec 87.3 MBytes 24.4 Mbits/sec receiver
    [ 26] 0.00-30.00 sec 85.8 MBytes 24.0 Mbits/sec sender
    [ 26] 0.00-30.00 sec 85.7 MBytes 24.0 Mbits/sec receiver
    [ 28] 0.00-30.00 sec 85.2 MBytes 23.8 Mbits/sec sender
    [ 28] 0.00-30.00 sec 85.2 MBytes 23.8 Mbits/sec receiver
    [ 30] 0.00-30.00 sec 78.5 MBytes 22.0 Mbits/sec sender
    [ 30] 0.00-30.00 sec 78.5 MBytes 21.9 Mbits/sec receiver
    [ 32] 0.00-30.00 sec 93.5 MBytes 26.1 Mbits/sec sender
    [ 32] 0.00-30.00 sec 93.5 MBytes 26.1 Mbits/sec receiver
    [ 34] 0.00-30.00 sec 85.8 MBytes 24.0 Mbits/sec sender
    [ 34] 0.00-30.00 sec 85.7 MBytes 24.0 Mbits/sec receiver
    [ 36] 0.00-30.00 sec 84.1 MBytes 23.5 Mbits/sec sender
    [ 36] 0.00-30.00 sec 84.1 MBytes 23.5 Mbits/sec receiver
    [ 38] 0.00-30.00 sec 79.8 MBytes 22.3 Mbits/sec sender
    [ 38] 0.00-30.00 sec 79.7 MBytes 22.3 Mbits/sec receiver
    [ 40] 0.00-30.00 sec 84.1 MBytes 23.5 Mbits/sec sender
    [ 40] 0.00-30.00 sec 84.0 MBytes 23.5 Mbits/sec receiver
    [ 42] 0.00-30.00 sec 83.5 MBytes 23.3 Mbits/sec sender
    [ 42] 0.00-30.00 sec 83.5 MBytes 23.3 Mbits/sec receiver
    [SUM] 0.00-30.00 sec 1.68 GBytes 481 Mbits/sec sender
    [SUM] 0.00-30.00 sec 1.68 GBytes 481 Mbits/sec receiver

    Thanks,

    Mark

  • 0 in reply to Zim

    Thanks for sharing that, Mark.  I had expected a significant improvement.  Emmanuel, can we get an explanation?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi , (A bit off-topic, but related to throughput issues on this thread.)

    I will setup a Sophos UTM VM later, but one thing, is AES-NI actually being used on UTM ?

    Related to this, on Sophos XG the AES-NI modules are loaded by the kernel, but none of the software actually uses it.

    More info at: https://community.sophos.com/xg-firewall/f/discussions/119782/hardware-acceleration-aes-ni-isn-t-being-used-on-the-software-version-of-xg-v18

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Unfiltered HTML