[9.201-23] Very slow and/or broken browsing.

Even though this is a somewhat old thread, I feel compelled to reply since I found the thread when trying to track down problems very similar to the OP, but as it turns out, the solution (or at least what seems to be the solution) is different to any concrete suggestion that I could find here and in other similar threads. Perhaps it was something fundamental and too trivial for experienced users to bring up, but for a new user it took me some time to figure out.

The common thing between my case and the case for the OP and of similar threads was:

OP thread:

1. Very slow and/or broken browsing. (Though for me, this was intermittent).

2. Operating in transparent mode.

3. In Australia.

Commonality with some other similar threads:

1. Running Sophos as a virtual machine.

Other general details of my setup:

1. My virtual machine is using two virtual networks bridged to the actual NICs and two virtual NICs that map to each of the virtual networks. The real NICs are Intel and Realtek. (I noticed threads on possible bugs with the Intel NICs, but mine was not the same model that I can ascertain).

Things I tried to try to resolve the problem:

1. Toggled on/off the following Sophos features.
   1. Web filtering
   2. Virus scanning (including changing from dual to single then to none).
   3. Turning off (temporarily) the firewall (by using an Any --> Any --> Any rule).
   4. Country blocking (though I ultimately decided to leave that off).
   5. Spoof protection
   6. Intrusion Prevention (including reviewing attack patterns in use).
   7. Anti-portscan
2. Tried switching from the SXL content filtering database to a local in memory version (using cc set http sc_local_db mem).
   1. A number of times this appeared to be the solution, each time, later, the problem returning. (As it turns out knowing the eventual solution, it makes sense that it seemed to help). My final solution, however, was not to use this; I am using SXL again.
3. Going over my hardware setups with a fine toothed comb.
   1. Swapped hardware around, triple checked network configuration.
   2. Tried different network configurations.
4. Checking Sophos logs such as for IPS, web filter (when it was on) and hardware utilization. (Both CPU and memory usage are very good as the VM runs on a capable base system).

After a long while (probably about a week) of beating my head against this, and with the wife and kids threatening mutiny and to contact Sophos personally, I stumbled on to the fact that when the web browsing experience was poor, my ping times to my ISPs DNS were extremely high (near on 3000ms). Long story short (this is already long enough) I was able to reproduce this by running an upload speed test on one machine and doing a tracert on a different machine. For the duration of the upload test I would incur the high ping.

I managed to narrow down the actual cause by reviewing network usage logs and correlating that back to the times I knew the problem happened and betting that some device on my network was hammering the uplink at certain times of the day. (My uplink by the way, being in Australia, is a miserable 1Mbps, so saturation is not hard). Turns out that the device was an iPhone and it seems it was doing this as soon as it came back in range with my wireless network.

The solution, (though I only implemented this 12 hours ago, so I need more time to be absolutely certain) seems to be the QoS settings in Sophos. Somewhat ironically I was thinking about reading up on the QoS features of Sophos and implementing whatever was recommended, until I was distracted with this web surfing issue!

To the best of my understanding of the problem and its solution, when I introduced Sophos UTM into my network, and did not specify the down/up link bandwidth, I removed the ability of my network to implement any QoS (presumably the router upstream of Sophos was stripped of the necessary context?) and so the uplink saturation caused problems whereby ping and other similar packets got queued behind other traffic, thus degenerating the web browsing experience until it was unusable.

Simply by telling Sophos my External (WAN) bandwidth limits, and enabling "Limit uplink", "Limit downlink" and "Upload optimizer" I seem to be back in business again and have averted any physical harm from my family!

So I am throwing this out there, in the hope that any other users new to Sophos, and perhaps challenged in terms of network configuration experience like myself, may have an extra thing to consider when/if trying to diagnose similar problems.

Even though this is a somewhat old thread, I feel compelled to reply since I found the thread when trying to track down problems very similar to the OP, but as it turns out, the solution (or at least what seems to be the solution) is different to any concrete suggestion that I could find here and in other similar threads. Perhaps it was something fundamental and too trivial for experienced users to bring up, but for a new user it took me some time to figure out.

The common thing between my case and the case for the OP and of similar threads was:

OP thread:

1. Very slow and/or broken browsing. (Though for me, this was intermittent).

2. Operating in transparent mode.

3. In Australia.

Commonality with some other similar threads:

1. Running Sophos as a virtual machine.

Other general details of my setup:

1. My virtual machine is using two virtual networks bridged to the actual NICs and two virtual NICs that map to each of the virtual networks. The real NICs are Intel and Realtek. (I noticed threads on possible bugs with the Intel NICs, but mine was not the same model that I can ascertain).

Things I tried to try to resolve the problem:

1. Toggled on/off the following Sophos features.
   1. Web filtering
   2. Virus scanning (including changing from dual to single then to none).
   3. Turning off (temporarily) the firewall (by using an Any --> Any --> Any rule).
   4. Country blocking (though I ultimately decided to leave that off).
   5. Spoof protection
   6. Intrusion Prevention (including reviewing attack patterns in use).
   7. Anti-portscan
2. Tried switching from the SXL content filtering database to a local in memory version (using cc set http sc_local_db mem).
   1. A number of times this appeared to be the solution, each time, later, the problem returning. (As it turns out knowing the eventual solution, it makes sense that it seemed to help). My final solution, however, was not to use this; I am using SXL again.
3. Going over my hardware setups with a fine toothed comb.
   1. Swapped hardware around, triple checked network configuration.
   2. Tried different network configurations.
4. Checking Sophos logs such as for IPS, web filter (when it was on) and hardware utilization. (Both CPU and memory usage are very good as the VM runs on a capable base system).

After a long while (probably about a week) of beating my head against this, and with the wife and kids threatening mutiny and to contact Sophos personally, I stumbled on to the fact that when the web browsing experience was poor, my ping times to my ISPs DNS were extremely high (near on 3000ms). Long story short (this is already long enough) I was able to reproduce this by running an upload speed test on one machine and doing a tracert on a different machine. For the duration of the upload test I would incur the high ping.

I managed to narrow down the actual cause by reviewing network usage logs and correlating that back to the times I knew the problem happened and betting that some device on my network was hammering the uplink at certain times of the day. (My uplink by the way, being in Australia, is a miserable 1Mbps, so saturation is not hard). Turns out that the device was an iPhone and it seems it was doing this as soon as it came back in range with my wireless network.

The solution, (though I only implemented this 12 hours ago, so I need more time to be absolutely certain) seems to be the QoS settings in Sophos. Somewhat ironically I was thinking about reading up on the QoS features of Sophos and implementing whatever was recommended, until I was distracted with this web surfing issue!

To the best of my understanding of the problem and its solution, when I introduced Sophos UTM into my network, and did not specify the down/up link bandwidth, I removed the ability of my network to implement any QoS (presumably the router upstream of Sophos was stripped of the necessary context?) and so the uplink saturation caused problems whereby ping and other similar packets got queued behind other traffic, thus degenerating the web browsing experience until it was unusable.

Simply by telling Sophos my External (WAN) bandwidth limits, and enabling "Limit uplink", "Limit downlink" and "Upload optimizer" I seem to be back in business again and have averted any physical harm from my family!

So I am throwing this out there, in the hope that any other users new to Sophos, and perhaps challenged in terms of network configuration experience like myself, may have an extra thing to consider when/if trying to diagnose similar problems.