VPN speed fluctuation after hardware upgrade

Hi CF,

Verify the bandwidth received by individual ends. To check this on the UTM, take SSH to the UTM and log in as root, refer to, Accessing UTM via SSH. Download a test file using the wget --no-check-certificate -O, command and check what bandwidth does the UTM receive. 

Thanks,

@sachingurung

I notice this too on my l2tp/ipsec vpn.  When connected to the vpn and IPS is enabled, speed tests (speetest.net for example) is at full speed, but transfers from non internet sources (subnets behind the utm) are throttled.

Looking at top while ssh'd into the utm shows snort at heavy cpu even through an ips exception has been established.  In fact, I see a very similar speed graph develop where it starts out fast then falls on its face.  Details in this thread: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/101357/windows-file-sharing-over-l2tp-ipsec-vpn

I'm not sure if the OP's and my issues are related, the symptoms seem similar.

Hi Jay Jay, I just read your topic, I have 3 different mtu's /lan 1500, fiber 1492, vpn 1380/ so that could be a problem, but on the other hand it was the same with the original cheap realtek nics and I had three times the download speed I have now. Unfortunately I see the same low numbers with speedtest too.   

Hi Jay Jay, I just read your topic, I have 3 different mtu's /lan 1500, fiber 1492, vpn 1380/ so that could be a problem, but on the other hand it was the same with the original cheap realtek nics and I had three times the download speed I have now. Unfortunately I see the same low numbers with speedtest too.   

^^IPS is a tricky thing.  I had to make a separate exception (which is being honored) to ignore certain speed test site traffic.  Otherwise my fiber gigabit speeds became more like 300-400 mbps.  This apply to both vpn and non vpn traffic. 

In addition, because the vpn was using udp, another exception had to be added to ignore udp flooding (which caused significant slow downs on the vpn).

Perhaps you had something similar like this defined before but these did not carry over because of the NIC changes¿?

The MTU issue was something I discovered with IPS and flood monitoring was disabled.  Vpn speeds were still poor.  In fact, having these disabled altogether would be a good starting point for establishing baseline. Otherwise too many factors complicate isolating the issue.  Right now, I have mtu at 1472 on everything (gateway, lan and wan interfaces).  My only remaining issue is trying to get snort to ignore vpn client <> local network traffic.

Thanks for the tips, I modified the exception list by adding not just the services but also the whole l2tp network to it and now I see the 150+Mbit speeds again..:) I don’t know what changed, how it worked before and why I received the low scores even when everything was turned off but I can live with these results. Now my CPU seems to be the limiting factor, snort and afcd are at 90 and 80 percent while running speedtest.