Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 2206 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Performance issues with UTM and VPN

Marcel Hoffmann

Hi there,

we use an UTM450 running in a cluster and also SSL VPN for our clients. Normally around 30-50 users are connected but during corona lockdown we had several users more (up to 100-120). Since then the VPN-performance got hotrrible. Lots of ping losses, it was unusable for most users. We had a call with sophos and they recommended to lower the authentication algorythm and switch from tcp to udp because our settings are not best practise.

Current settings are:

TCP
Encryption algorythm AES 256-cbc
Authentication algorithm Sha 512
Key size 1024 bit

Out WAN nic has 500 Mbit. We only use one WAN-interface.

We didn't do this because this due to the fact that our users are no local admins we had to reinstall VPN profiles manually. We currently also use a different VPN only appliance for dial in then and kept only few users on the sophos.

Unfortunately the situation now is, that also the performance of IPSEC tunnels are degrading with lots of ping losses and the SSL client VPN istn't working well either with only 30-50 users.

We are now thinking again about switching the SSL VPN settings but I am not sure if this will really solve all problems. 

Any other opininions are highly appreciated.

Thanks and regards

Marcel



This thread was automatically locked due to age.
Parents
  • +1

    Hallo Marcel,

    I remember reading reports here of UDP being blocked in places in Germany, especially hotels, but since Google introduced QUIC (UDP 443), I suspect you would have no problem with that for SSL VPN users.  Here in N. America, I recommend UDP 1443 and have experienced no problems with that.  There is substantially less overhead with UDP and no real gain with using TCP with a VPN.

    However, I would recommend moving away from the SSL VPN.  According to Sophos' Sizing Guide, the 450 can handle 300 SSL VPN tunnels, but that's if it weren't doing anything else.  The number for IPsec tunnels is 2000.  The free Sophos Connect IPsec client is where I would move you if you were my client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    now I managed to get an IPsec client tunnel up and running (after changing the policie) but the performance is unfortunately as bad as for the IPsec site2site tunnels - lots of ping losses. SSL VPN is running way better. So I still havn't found the real bottleneck. Last thing I did was to play around with MTU but also without any success so far.

    Is there maybe anything else I can try?

    Cheers

    Marcel

  • 0 in reply to Marcel Hoffmann

    Hallo Marcel,

    Please show pictures of the Edits of the IPsec Remote Access Rule and of the IPsec Policy used in that rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thanks for helping me Slight smile

    Here are policy and access rule. I already tried different settings in my access rule as well as more granular local network settings.

    Regards

    Marcel

  • 0 in reply to Marcel Hoffmann

    Marcel, what happens if you replace what's currently in 'Local Networks' with the "Internet IPv4" and "Internal (Network)" objects?  If there's still an error, show us about 60 lines from the IPsec log after a connection attempt is started.  Make sure that no IKE Debugging is enabled on the 'Debug' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Marcel Hoffmann

    Marcel, what happens if you replace what's currently in 'Local Networks' with the "Internet IPv4" and "Internal (Network)" objects?  If there's still an error, show us about 60 lines from the IPsec log after a connection attempt is started.  Make sure that no IKE Debugging is enabled on the 'Debug' tab.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hi Bob,

    I changed the local networks, and also lowered MTU on the internal interface to 1350.

    I also disabled all debug logs.

    There are no errors on the ipsec log.

    The connection comes up, internal routing works (it also worked before this last changes, when I changed some settings in the poilcy).

    However - the ipsec connection is still suffering from packet losses and is only barely usable. 

    This is an example:

    Pakete: Gesendet = 172, Empfangen = 151, Verloren = 21
    (12% Verlust)

    Regards

    Marcel

  • 0 in reply to Marcel Hoffmann

    I would open a case with Sophos Support, Marcel  This is an unusual situation.

    Do you see anything related in the Intrusion Prevention log?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I already openend a case to sophos. Unfortunately I do not get any reply. The last responses from the cases I submitted were also very very slow. Currently I am not really happy with the support and the situation.

    The IPS-log doesn't show any issues.

    Is the setting of MTU maybe not sufficient? I am hesitant to do more experiments because this always cuts of all TCP connections. Maybe I will try some more MTU settings on the weekend.

    Regards

    Marcel

Unfiltered HTML