UTM 9 & slow upload speeds

Have you tried to disable IPS (then reboot or restart the httpd service)?

Yes.  Seen that in a post.  
- no QOS implemented
- the SSL/VPN users group (definition) is not part of the IPS.  (creating exceptions for does nothing of course)
- when downloading the IP is not mentioned in the firewall or IPS logs
- there is only one WAN interface defined (IE:  VPN, internet, etc go through the one WAN link)

Ironically we have a offsite backup site we use which can do 100Mbps and does no problem. Downloading from the internet has great speeds. 

So I'm a bit perplexed why this cap on the upload speed.  But I was brought into this setup 3 months ago with no prior IT admin.  The only thing I did not try was adding the SSL users group to the Advanced Threat Protection exception.  But this would imply that I see this in the logs, which I do not.

Can I assume that if I did a ssh / test internet speed that rules out all config issues in the GUI?   (the SSH download from the firewall bypasses all rules/IPS, etc.)

That would be one of the first things to try so you can rule the UTM in or out first. I haven't heard about anything bypassing the firewall like SSH before.  

I didn't see it in your posts at all - is this a Sophos hardware appliance or do you have a different hardware device? If it is your own computer, what is the NIC you have installed?  (Please don't say Realtek, lol).

The setup is dual/redundant SG330.  The outside interface would be the ISP equipment and the inside is the Cisco network.

dual/redundant = HA mode, yes?  I would really try a connection not behind the UTM to make sure it's not your ISP.  They have been known to do stupid things like this.

Hi John and welcome to the UTM Community!

I like to set up the SSL VPN using UDP instead of TCP, but that's not practical for you at this point.

If you don't have a load balancer or other device between you and the ISP connection, try configuring an IPsec (L2TP/IPsec or pure IPsec) connection - any better throughput with that?

I suspect that you will find something in the SSL VPN log, but with that many users, you might need to access in the middle of the night to be able to see the problem.

If you haven't already done so, you will want to open a case with Sophos Support.  Since first level is usually from India, they should easily be able to do an SSL VPN session at 3 AM your time.

Cheers - Bob

Hi.  
I can't setup a less secure VPN due to the nature of the business and their security requirements. 
I did try to bypass the firewall but had no luck and can't see that making a difference anyways.  The speed of the internet is fine through the firewall (down/up).  The speed of our backups offsite reaches 100+Mbps through the firewall.  There's obviously nothing wrong with the internet speed, just an issue with the VPN internet speed.  

I'll open a ticket but any additional ideas you can think of please let me know.  Not sure I will enjoy the initial steps of dealing with initial support (India) as they may want to take steps I cannot do & then close the issue if I cannot perform those steps (IE: Try UDP protocol vs. TCP).  

But having an uplink of 1.5Mbps max (out of 300Mbps) is crazy.  The other forum posts I read with similar security requirements were seeing 50-100Mbps speeds with the security overhead.  1.5Mbps seems like it should be an obvious issue here.  

VPN is using: 
TCP Protocol 443
AES-192-CBC
SHA1
1024 bit
Local 509 Cert.

I tried turning on SSL VPN compression, no luck
I tried looking in the firewall / IPS / live logs at night for my IP to be flagged (or firewall flag) while downloading and nothing shows.  Obviously the download/upload works and is not flagged, it's actually being allowed.  I would expect to see something in the IPS log, but nothing.

UDP flood protection is not on for VPN SSL (part of IPS)
QOS is disabled
VPN SSL Pool is not included in IPS scope (adding exceptions makes no difference)
Uplink Monitoring is disabled
Download Throttling is disabled

Web Filtering is turned on for SSL VPN but I can't see this slowing download speeds. The only item I can think of is that we do not have SSL VPN listed in Advanced Threat Protection for exceptions. Would this make a difference?

One colleague mentioned that this is how Sophos VPN works when you have this many users; splits up bandwidth for each user connected, but I can't see this being a "thing".  

Suggestions Welcome...

I did find that this VPN group is listed as a Policy Route.  Is this required?   It just has a rule saying any All VPN Users / any service / any destination , send to internal target interface.   This seems redundant and not needed.

I would have to agree - it seems unneeded, and really ignores the entire purpose of the firewall (Any service, Any destination).  Unless they need to be routed to a specific place, you would use this.  Otherwise, all they really need (if they are internal users with appropriate access to internal servers) is the DNS Global Network allowance (Network Services > DNS > Global tab > Under Allowed Networks) so they can utilize DNS instead of relying upon IP addresses when navigating.

What happens if you disable that Policy Route?

What does Sophos Support say about this?  They won't close your case if you can't try something that might compromise your client.  Since you're in North America, requesting escalation will likely move your case to the Sophos office in Vancouver.

Cheers - Bob

Hi, 

Will have to wait till the maintenance window to try disabling the Policy Route, but I am doubtful on it making a difference.  
Submitted a ticket recently and waiting on a response.  Any steps they want to take will most likely have to wait till the maintenance window as well (18th). 

To respond to this if anyone is reading it.  Submitted ticket, Sophos Level 1 has been working on it for weeks now, but no real progress.  We verified the VPN speed is 1.5Mbps max, and connection speed test via command line (bypass firewall / Sophos command line) was 20Mbps max.  Site has a 300Mbps dedicated connection.   They have escalated it to level 2.   They had me upgrade the client = no fix.   They want me to upgrade the firmware on the units but the release notes say nothing about fixing this issue.   I can't switch security settings (use UDP etc.) and we have 70-100 users on this VPN everyday.   So... still work in progress. 

To respond to this if anyone is reading it.  Submitted ticket, Sophos Level 1 has been working on it for weeks now, but no real progress.  We verified the VPN speed is 1.5Mbps max, and connection speed test via command line (bypass firewall / Sophos command line) was 20Mbps max.  Site has a 300Mbps dedicated connection.   They have escalated it to level 2.   They had me upgrade the client = no fix.   They want me to upgrade the firmware on the units but the release notes say nothing about fixing this issue.   I can't switch security settings (use UDP etc.) and we have 70-100 users on this VPN everyday.   So... still work in progress.