Poor SSL VPN performance when using TCP

Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

Do you use Compression on SSLVPN? 

Did you try Sophos Connect 2.0 or the OpenVPN Client? 

Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

Likely caused by MTU Issues: https://forums.openvpn.net/viewtopic.php?t=25039

I only tried the OpenVPN Client, which i also used with UTM all the time without any problems. I use UTM and XG with default settings for VPN and Network Ports. As far as i can see,  both are using the same settings, so why is UTM so much faster on TCP connections? Even if it has to do with SMB and/or MTU, it just works with UTM and it's not with XG.

Maybe you try and see for yourself, as i tested this with multiple appliances.

Edit:
I made a simple test without SMB involved. I used a VPN profile with default gateway option enabled and went to https://fast.com for a speedtest. The results are pretty much the same:

53 Mbit/s for UDP SSL VPN
14 Mbit/s for TCP SSL VPN

So what to do about this? Can't be i am the only one facing this problems. XG is using the latest firmware available (18.0.1 MR-1)

I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

What XG unit are you currently having issues with?

With all i tested so far. XG210, XG125, XG105 and even the software Version running on Intel i5 Quadcore with 6GB RAM. They all behave the same. With TCP, regardless of the port used, i am not able to get more than ~16 Mbit/s. With UDP these problems simply don't exist.

I am currently in the process of reproducing this. Do you know, if this issue started with a specific version? 

Also recommend steps to create a Support Case for tracking purpose. 

I've created a ticket yesterday, here is the number: #9942092

This is pretty much a bug in the XG Firmware, since i reproduced it on multiple devices with different internet connections. We also have a few SG125 devices in use and i can assure you that UTM does not have this problem at all.

I also use UTM @home as virtual appliance and get the full ~53 Mbit/s Upload, using any TCP port i want with SSL VPN. For testing purposes i installed a virtual XG firewall on the same hardware and i see the same behaviour as with our customers appliances: TCP SSL performance is pretty bad. Thinking of that, you should easily be able to reproduce this. Otherwise, if someone really needs access to get packet captures, we need to do this at my work time.

To answer your question: unfortunately i don't know if it ever worked properly on XG, since the problem came just to us because so many people are working from home right now and complain about bad VPN performance. After i installed a blank XG @home wich showed the same behaviour, knowing that UTM does not, since i use it for years right now, i am sure that this is releated to XG firmware and should affect pretty much everyone. Of course if you don't have an upload big enough to run into this, it won't be identified as a problem at all.

I did the following tests just yesterday:

Hardware: XG210
Internet connection: ~1000 Mbit/s down, ~80 Mbit/s up
UDP SSL VPN: ~60 Mbit/s
TCP SSL VPN: ~11 Mbit/s

Hardware: XG125
Internet connection: ~90 Mbit/s down, ~38 Mbit/s up
UDP SSL VPN: ~30 Mbit/s
TCP SSL VPN: ~11 Mbit/s

Virtual Home Appliance
Internet connection: ~1000 Mbit/s down, ~53 Mbit/s up
UDP SSL VPN: ~53 Mbit/s
TCP SSL VPN: ~16 Mbit/s

FloSupport / KingChris Could we take a look into this? 

Hi Dreamcatcher 

Thanks for sharing your case number and providing additional information.

I'll have someone from the Community team help take a look and follow up with you.

We also have this issue at our office. SSL VPN over TCP is DOG SLOW. We're using an XG 210 as our edge device. I did a late night test a couple times switching the config to UDP, and there's no contest. SSL VPN over UDP performance absolutely smokes SSL VPN with a TCP tunnel. Using TCP we're also limited to about 2Mbits throughput right now. I just thought it was a limitation of a TCP tunnel.

I'm in the process of setting up all our people using Sophos Connect with IPSec so I can change the SSL VPN config to a UDP tunnel and then slowly migrate everyone back. If the TCP performance could be fixed in an update, that would be so much nicer.

Thanks,

Tim