Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 2237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Performance issues with UTM and VPN

Marcel Hoffmann

Hi there,

we use an UTM450 running in a cluster and also SSL VPN for our clients. Normally around 30-50 users are connected but during corona lockdown we had several users more (up to 100-120). Since then the VPN-performance got hotrrible. Lots of ping losses, it was unusable for most users. We had a call with sophos and they recommended to lower the authentication algorythm and switch from tcp to udp because our settings are not best practise.

Current settings are:

TCP
Encryption algorythm AES 256-cbc
Authentication algorithm Sha 512
Key size 1024 bit

Out WAN nic has 500 Mbit. We only use one WAN-interface.

We didn't do this because this due to the fact that our users are no local admins we had to reinstall VPN profiles manually. We currently also use a different VPN only appliance for dial in then and kept only few users on the sophos.

Unfortunately the situation now is, that also the performance of IPSEC tunnels are degrading with lots of ping losses and the SSL client VPN istn't working well either with only 30-50 users.

We are now thinking again about switching the SSL VPN settings but I am not sure if this will really solve all problems. 

Any other opininions are highly appreciated.

Thanks and regards

Marcel



This thread was automatically locked due to age.
Parents
  • +1

    Hallo Marcel,

    I remember reading reports here of UDP being blocked in places in Germany, especially hotels, but since Google introduced QUIC (UDP 443), I suspect you would have no problem with that for SSL VPN users.  Here in N. America, I recommend UDP 1443 and have experienced no problems with that.  There is substantially less overhead with UDP and no real gain with using TCP with a VPN.

    However, I would recommend moving away from the SSL VPN.  According to Sophos' Sizing Guide, the 450 can handle 300 SSL VPN tunnels, but that's if it weren't doing anything else.  The number for IPsec tunnels is 2000.  The free Sophos Connect IPsec client is where I would move you if you were my client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok after two days of messing around with IPsec I didn't have any success so far. I configured it like this:

    https://support.sophos.com/support/s/article/KB-000038819?language=en_US

    My connection gets established, but my client doesn't seem so route anything, although the routes are set. The traffic doesn't seem to pass through the adapter. I tried different policy settings, checked the routing of the subnet, set firewall rule to automatic, tried "any local nets" or single vlans - nothing worked. 

    The ovpn-config in the sophos connect works without issues.

    Only difference I note is the routing table - the routes with SSL-VPN are set like this:

      Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik

    0.0.0.0 128.0.0.0 10.25.176.1 10.25.176.29 258

    ipsec does it like this, but I suppose this is normal

    Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik

    0.0.0.0 128.0.0.0 169.254.128.128 10.25.184.1 12

    Every ping to a different network times out, the firewall log's still empty, so it must be a routing problem within the client.

    By the way - I can't find the sophos connect admin tool, this was my last idea.

    What may be wrong?

    Thanks and regards

    Marcel

Reply
  • 0 in reply to BAlfson

    Ok after two days of messing around with IPsec I didn't have any success so far. I configured it like this:

    https://support.sophos.com/support/s/article/KB-000038819?language=en_US

    My connection gets established, but my client doesn't seem so route anything, although the routes are set. The traffic doesn't seem to pass through the adapter. I tried different policy settings, checked the routing of the subnet, set firewall rule to automatic, tried "any local nets" or single vlans - nothing worked. 

    The ovpn-config in the sophos connect works without issues.

    Only difference I note is the routing table - the routes with SSL-VPN are set like this:

      Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik

    0.0.0.0 128.0.0.0 10.25.176.1 10.25.176.29 258

    ipsec does it like this, but I suppose this is normal

    Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik

    0.0.0.0 128.0.0.0 169.254.128.128 10.25.184.1 12

    Every ping to a different network times out, the firewall log's still empty, so it must be a routing problem within the client.

    By the way - I can't find the sophos connect admin tool, this was my last idea.

    What may be wrong?

    Thanks and regards

    Marcel

Children
No Data
Unfiltered HTML