This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet dropped due to output saturation - UTM 9 SG230

One user is having issues with the SSL VPN. All other users are fine. I see the following in the VPN log:packet dropped due to output saturation. There also seems to be an issue with the DHCP address but I thought the UTM just assigned an address out of the pool. I suggested that he load it on a different computer. He is in Germany; all other users in US. The appliance is firmware 9.411-3.

Thx in advance



This thread was automatically locked due to age.
Parents
  • It seems tbis is telling you that ypu have a bandwidth problem.  Packet discard is normal in this situation.

    The problem must be on the overseas hop, since only this user is affected.

    If both ends have asymmetric line speeds, this could be the cause of chronic problems   There is an IETF RFC on the subject, but I do not have the number handy rigjt now.

    You may have an mtu and packet fragmentation problem as well.  Search the cisco support site for myu discovery and fragmentation.  I know that zi jave read good material there about these subjects.

Reply
  • It seems tbis is telling you that ypu have a bandwidth problem.  Packet discard is normal in this situation.

    The problem must be on the overseas hop, since only this user is affected.

    If both ends have asymmetric line speeds, this could be the cause of chronic problems   There is an IETF RFC on the subject, but I do not have the number handy rigjt now.

    You may have an mtu and packet fragmentation problem as well.  Search the cisco support site for myu discovery and fragmentation.  I know that zi jave read good material there about these subjects.

Children
  • You may be able to tell that the last post was done from my cell phone.

    I don't think this forum allows urls to be posted, so I have added spaces to the references below.  You can feel free to search on the title strings instead of reconstructing the web address.   The two Cisco articles appear to have similar content written about a year apart.   I think the first one will be most useful, but I have not taken the time to re-read them tonight.   My assumption is that the theory may be useful, even though any UTM remediation will need to be done with the help of Sophos support.

    • Compatible Systems Tech Notes: IP Fragmentation and MTU Path Discovery with VPN
      www . cisco . com /c /en /us /support /docs /routers /compatible-micro-router-series/17639-fragmentation . htm
      l
    • Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC
      www . cisco . com /c /en /us /support /docs /ip /generic-routing-encapsulation-gre/25885-pmtud-ipfrag . htm
      l
    • TCP Performance Implications of Network Path Asymmetry
      tools . ietf . org / html / rfc3449

    The Verizon website provides a "FIOS Optimizer" which implements client-level regsitry settings to optimize Windows PCs based for path asymmettry.   Search Microsoft's website for this RFC and I think you will be able to find details about the registry settings which the FIOS optimizer configures.

  • Doug, you can find links and URLs on my Linkz post.  Do you think the IPsec articles relate to SSL VPN troubleshooting?

    I trust Doug's instinct here.  I would get the IP that the guy in Germany is coming from and check with tcpdump at the command line to see if there's fragmentation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA