Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 3 subscribers
  • Views 5627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC between multiple sites very slow

mjpmotw

We are running several Sophos UTM with the 9.7 firmware: SG330 (HA), SG230 (HA), 4xSG115 and about 8 x RED15. All sites have ISP between 25/100 and 1000/1000 (main office).

They are all connected using IPSEC or the RED Interfaces forming a hub and spoke connection (any site goes to any site).

As all sites need to reach all sites, we have only one tunnel configured between each site, but to reach across, we had to add local networks creating around 50 IPSEC connections on the hub.

 

PROBLEM:

For several weeks, we are encountering very slow IPSEC traffic between those sites. Only between 3-5 MBit/s instead of 25-300 MBit/s as before and as expected.
Review the firewall history we couldn't identify a suspious change. Users report that the issue started in December. 

We have tried to isolate the problem but failed. We have tested the following changes:

IPS, ATP, Web filter, Country blocking
Any actions in these Modules on/off have no effect on the performance in the tunnel. IPS had all local and remote subnets in the exception lists.

Firewall
All RED and all IPSEC tunnels create an exception rule via automatic firewall rules.

MTU
Set to 1500 for all WAN interfaces, all direct internet connections are fast according to "real data transfer" and iperf. Only the IPSEC tunnel ist slow.

CPU Load
The sg115 are rather weak but there is no CPU spike or lag. We had IPSEC with 300/300 about a year ago with the same hardware.

Routing
We could rebuild the hub/spoke with routing instead of many IPSEC tunnels (currently over 50 tunnels).

UTM RED
We didn't try this yet but we could replace the IPSEC connections with UTM-RED connections, with manual routing and firewall rules.

IPSEC VPNID
We are using the VPN ID = public DNS (public IP) of each site.

IPSEC Compression and Policies
Tunnel Compression and different policies AES128/256 etc. have no effect.

IPSEC MTU path discovery
We have set the MTU path discovery for all IPSEC connections on both sides.

IPSEC initiate/respond
According to Sophos, the branch offices should initialize.

Dedicated WAN
The main office has two WAN connections so we are using the uplink interface and the bind-to-interface-option in multipathing as recommended for availability reasons. We could simply set this to one interface.

Firmware up/down
We took a spare sg115 and downgraded from 9.7 to 9.6 with no effect.

Sophos Case
We have escalated the case to Sophos. They are very helpful but the support was unable to identify a root cause for this slow tunnel behavior.

Any other ideas?



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML