This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG430 10GB Fiber Link Slow Throughput

I have been struggling with my SG430's fiber connection to my ISP where we have purchased 1GBps throughput on a dedicated 10GBps port, with bandwidth policers. The SG is connected directly to a Cisco switch not 100 feet below me. I am using an Intel E10G SFP LR GBIC with a Sophos SG Series FlexiPort module. Machine is running 9.407-3The following services are active:

  1. Firewall
  2. IPS
  3. Network Visibility
  4. Wireless Protection with 10AP's
  5. Site to Site VPN (one connection)
  6. WAF
  7. ATP

Turning off IPS and ATP got me up to 215Mbps up and 300MBps down.

I have not configured QoS, and we have approximately 80 users with two devices (company issued and one personal device- 160 devices total, at least; 180 at most). My SG is probably not getting above 14% of its available 16G RAM, CPU hasn't gotten over 8% and it has only been in production for about 2 weeks, so nothing to report as far as log disk or  data disk. I have made changes to match the MTU and port speeds on all the interfaces (Cisco in front and Cisco behind the SG). My port settings are 1000 full, no auto negotiation for the internal interfaces, and 1000 full, auto negotiation at the edge (more on this below). I have checked a couple of times with the carrier, and we should be getting about 820-900MBPS when I connect my laptop directly, up/down, but we are only pushing about 160 up/down through the UTM. That only improved after I noticed in the shell that my internal interface was advertising 1000M full auto, but when i logged into the shell, it was only set for 100M full auto negotiating. Changing it to 1000M Full no Auto Negotiation improved my bandwidth, but I am still way off my mark.

Lastly, when I tried to change the speed to 10000 and auto-negotiating settings through the GUI, I received the error message "The ethernet interface hardware object requires one of certain fixed strings for the speed attribute."

When a Sophos engineer tried to do the same remotely, he also received the same error message.

We currently have a case open with Sophos regarding the issue.

Questions:

  1. has anyone ever seen this issue or error before?
  2. am I required to reboot the SG after an MTU change?
  3. I have read that if I make setting interface changes through the shell, those changes are not committed after the SG reboots (and it will be rebooted, inevitably), is this true?As

As always, any help is appreciated. Thank you in advance!

 

 

 


This thread was automatically locked due to age.
  • Hi, Hamilton, and welcome to the UTM Community!

    1. Yes to the issue, no to the error message you cited.  Are you certain that you have an SFP module capable of 10Gb?
    2. No.
    3. It depends.  Given your level of UTM experience, I'd be hesitant to be making any changes at the command line without direction from Sophos Support.

    Consider #7.2 through #7.7 in Rulz first.  I don't know if you can use a 10Gb setting for the fixed speed, but I can confirm that fiber connections to Cisco switches are often faster and more robust when fixed speed and duplex are specified.

    If you have IPS (Snort) active and are testing from a single workstation, be aware that Snort is single-threaded and that you won't get much better than your results with a single-threaded test like speedtest.net.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Bob!

    Yes, the SFP we received from Sophos is a dual NIC 10GBps fiber interface SFP. we are only using one slot.

    I looked at the RULZ an went through them before starting a support case. I did have to make an adjustment to the MTU on the fiber connection as it was set to default 1500. changed it to 9800 to match the Cisco switch, and I got an immediate improvement of about 70Mbps. I also tested downloads directly from the external interface using the following:

    wget --no-check-certificate -O - https://raw.github.com/ sivel/speedtest-cli/master/speedtest_cli.py | python

    that test came back with bandwidth around 890Mbps down, and 250Mbps up.

    since the interface's speed is actually working as intended (with the services I have running, it was expected that I would have a loss of throughput due to the CPU cycles used by the services, so 890-850Mbps is ok with me), I will focus on the other interfaces working the way that they should be working, to include speed and duplex.

    I am going through each interface in the internal LAN to ensure that anything connected to non-cisco devices has the settings set for 1000Mbps full no auto-negotiation. I may still have one last tweak to go, but I am hopeful that perhaps if Sophos can get the error resolved, that will be the last step to get this working.

    Again, Thank you for your suggestions.

     

  • In my experience, it's only the ISP's Cisco fiber switches that manage an entire building that have this idiosyncrasy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I wanted to follow up to let you know that this issue has been verified and confirmed by Sophos' Level 3 Technical Support. They investigated and verified the issue on my device where the speed and duplex settings in the web console and in the shell didn't match. They were able to reproduce it in a lab environment, and will be releasing a new kernel to correct this issue in a future version of UTM software.

    Thank goodness I wasn't losing my mind. Have a wonderful holiday season everyone!