Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 7 subscribers
  • Views 23165 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow large file copies via file-share, but fast if using http (both with IPSEC VPN)

ShadGates

I am experiencing bad performance using Windows Server 2016 to copy backup files across an IPSEC VPN.  The files I'm copying are large (12GB) database backup files.

When using windows to copy the files via shared folder, I get sporadic transfer bouncing between zero and 7+MB/s, averaging around 2MB/s.  When I do the same copy, via http, I get a fairly steady 7+MB/s.

 

Does anyone have any suggestions how to get windows file-copy performance up to something reasonable?

Environment:

"Source"

Physical Windows Server 2008R2 (6-core Xeon, 12GB RAM, Intel GB NIC) behind Sophos SG-230 hardware.

"Destination"

VMWare VCloud VM (hosted by commercial datacenter) Windows Server 2016 (2x 6-core CPUs, 16GB RAM, SSD over fiber) behind a VM running Sophos UTM-9 from 64-bit ISO (8-core CPU, 12GB RAM, VMXNET3 NIC on LAN port, Intel E1000 NIC on WAN)

--- Swapped out the Intel nic on the LAN port as a test, no difference...

Sometimes it gets stuck at zero transfer rate for long enough that the copy crashes with error:

"An unexpected error is keeping you from copying the file.  If you continue to receive this error, you can use the error code to search for help with this problem.  Error 0x8007003B: An unexpected network error occurred."

I've gone through BAlfson's Rulz, as I've seen referenced on other such problems, and find no smoking guns... though I'm not the best at reading the firewall logs... I verified I'm not doing anything that violates the non-log rules.

Any suggestions appreciated.

Shad



This thread was automatically locked due to age.
  • 0 in reply to giomoda

    Great insight, Giovani - I hadn't considered asking about which IPsec Policy was in use.  Honestly, depending on the Policy and the underlying hardware, IPsec can be faster or slower than RED.  I don't know if the RED technology takes advantage of it, but the SSL VPN will using the default AES-128-CBC.  AES 128 GCM will be from 50% to 100% faster than AES-128-CBC, depending on the underlying CPU (AES-NI SSL Performance).  Here's what I like to use where there's hardware support for AES-NI:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, that's some top shelf knowledge right there, as usual. I shall review my concepts.

    Regards,

    Giovani

  • 0 in reply to BAlfson

    Gentlemen:

    I've swapped out all of the NICs in that cloud environment to VMXNET3, no more E1000s on any of the VMs.  This didn't help, but it did trigger the VMWare VCloud Director's Edge Gateway to actually start enforcing it's 100Mbps throttle... I had to contact the datacenter and have them bump that back up to 1000Mbps.   Speedtest.net shows about 230Mbsp up and down from the receiving side of the copy and we get around 300Mbps up and down on the sending side, other speed testing sites show similar numbers (just for ball-park, not expecting them to be horribly accurate beyond showing what order of magnitude we're lying within).

    After the updating of the NICs, the robocopy is getting about 25Mbps.  During the transfer, the Sophos VM is bumping along between 0-2% CPU utilization, and abotu 25% RAM usage...

    The low CPU utilization makes me think the encryption overhead isn't much of a factor, but maybe some profiles are heavier on the wire than others, stealing bandwidth?

    Presently, the IPSec VPN is using AES-256, which is configured as:

    The remote gateway's advanced options are:

     

    Would changing the IPSec VPN policy result in significantly faster transfers, or just a couple percent?  As it is, we're getting just over 10% of actual throughput... seems like 90% overhead is steep by any measure... what else could be causing this to be so slow?

  • 0 in reply to ShadGates

    I would not expect an increase in speed.  I really think you are likely topping out the performance of SMB over a high latency VPN at 25mbps.  It is really not a protocol made for WAN links.  I know that is not what you want to hear, but I think it is as good as it will get for you.

  • 0 in reply to ShadGates

    From what I've read, AES 256 has about 40% more overhead than AES 128.  I think AES 128 PFS is more secure than plain AES 256, especially since reading a few years ago that there's a vulnerability in AES 256 (don't remember now what it was).

    I would definitely select 'Support path MTU discovery' in the Remote Gateways on both sides.

    Have you tried an Exception for Intrusion Prevention on each side for traffic coming from subnets on the other side?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML