This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Remote access really slow

I've been getting complaints lately that SSL speeds are really slow, so I started testing myself.

On our work we have a SG330 with 9.705-3 connected to a 500/500 Mbps fiber connection.
At home I have a 1000/10000Mbps fiber connection.

Usually I use an IPSEC connection between home and work (at home through an XG firewall).

Iperf output with server on UTM-side and connected to my usual IPSEC-connection:

C:\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.45
Connecting to host 192.168.1.45, port 5201
[  4] local 172.16.16.100 port 55470 connected to 192.168.1.45 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  12.2 MBytes   103 Mbits/sec
[  4]   1.00-2.01   sec  12.2 MBytes   102 Mbits/sec
[  4]   2.01-3.00   sec  12.1 MBytes   103 Mbits/sec
[  4]   3.00-4.00   sec  11.9 MBytes  99.8 Mbits/sec
[  4]   4.00-5.00   sec  12.5 MBytes   105 Mbits/sec
[  4]   5.00-6.01   sec  12.2 MBytes   102 Mbits/sec
[  4]   6.01-7.00   sec  11.8 MBytes  99.1 Mbits/sec
[  4]   7.00-8.01   sec  12.8 MBytes   106 Mbits/sec
[  4]   8.01-9.01   sec  12.8 MBytes   106 Mbits/sec
[  4]   9.01-10.00  sec  12.1 MBytes   102 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   123 MBytes   103 Mbits/sec                  sender
[  4]   0.00-10.00  sec   123 MBytes   103 Mbits/sec                  receiver

iperf Done.

Not too bad with little over 100Mbps both up- and downloadspeed using iPerf.

Now when switching to SSL VPN this dramatically worsens to just under 3 Mbps

C:\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.45
Connecting to host 192.168.1.45, port 5201
[  4] local 10.242.2.17 port 60582 connected to 192.168.1.45 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec   640 KBytes  5.22 Mbits/sec
[  4]   1.00-2.01   sec   256 KBytes  2.08 Mbits/sec
[  4]   2.01-3.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   3.01-4.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   4.01-5.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   5.01-6.01   sec   384 KBytes  3.15 Mbits/sec
[  4]   6.01-7.01   sec   128 KBytes  1.05 Mbits/sec
[  4]   7.01-8.00   sec   384 KBytes  3.16 Mbits/sec
[  4]   8.00-9.00   sec   256 KBytes  2.10 Mbits/sec
[  4]   9.00-10.00  sec   128 KBytes  1.05 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  2.88 MBytes  2.41 Mbits/sec                  sender
[  4]   0.00-10.00  sec  2.73 MBytes  2.29 Mbits/sec                  receiver

iperf Done.

More than 30x slower using the exact same connections and at the time of testing just 1 other SSL client connected.

SSL VPN settings on UTM:
UDP port 443
Encryption: AES-128-CBC
Authentication: SHA1
Key size: 1024 bit
Compression: On

Can someone confirm SSL VPN remote access being this slow or better, have suggestions on how to improve if possible at all?



This thread was automatically locked due to age.
Parents
  • Today I did some tests with a Sophos XG at the same site (connected to an addional IP of the ISP's line). 

    Throughput with XG was about 85Mbps, so a huge improvement over UTM. The XG was an XG230 appliance with the following settings:

    SSL VPN settings on XG:
    UDP port 443
    Encryption: AES-256-CBC
    Authentication: SHA2 256
    Key size: 2048 bit
    Compression: On

    Looks like UTMs SSL remote access is somehow underperforming big time. Still not sure tough what UTM should be capable of in terms of throughput with SSL VPN.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello,

    did you use UDP on SG as well?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yes I did, as I wrote in my earlier post.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Which earlier post?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • In the starting post of this thread....

    SSL VPN settings on UTM:
    UDP port 443
    Encryption: AES-128-CBC
    Authentication: SHA1
    Key size: 1024 bit
    Compression: On

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Guys, I always recommend not using compression.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    you only mean this for SSL-Connections?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, Philipp.  The SSL VPN in UTM really puts a load on the processor already.  Using compression can really choke it.

    Not surprising that Arno found the XG was much faster when using compression - probably a better piece of code for that in XG.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Yes, Philipp.  The SSL VPN in UTM really puts a load on the processor already.  Using compression can really choke it.

    Not surprising that Arno found the XG was much faster when using compression - probably a better piece of code for that in XG.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data