This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG VPN performance

Good day all.

A good portion of our company is currently deployed via VPN, which means we have about 20~ish connections consistently on any given day.  

Our setup:

2 Sophos XG firewalls setup in HA state.  Our bandwidth is 100/100 with a secondary 100/100 connection.  The VPN agents were setup in a TCP protocol with compression selected.    We believe the SSL VPN was setup in split tunnel.

Agent logins are tied to our internal AD, so when an agent is deployed or needs to be redeployed, we have to login as each person, and download the new configuration and/or client.

The issue:

We've been receiving complaints about the throughput when people are connecting to the VPN.  

Another colleague and I started testing, and we believe the Sophos is causing a problem.

Test scenario:

Using SSMS, connect to a cloud database to run a script that will return 20,000 rows. 

Tests:

When directly connected to the database (no VPN):  Return time is about 1 second.

When directly connected to the database on a computer inside of our network (no vpn):  Return time is about 1 second.

When connected to the vpn and running the same query:  Return time varies between 45 seconds to 3 minutes. 

Our vendor has suggested that we need to change the vpn connection over to UDP, but there is concern that the fault tolerance related to TCP would be lost and may cause more problems than what we currently have with TCP in place. 

The additional issue of having to redeploy the agents to each person individually is a cause for concern as well as everyone would be unable to connect if we did switch over to UDP until the new client is deployed to each person.

So:

Based on this configuration, how likely would it be that converting everyone over to UDP would alleviate the performance problems? 

If we choose to mass re-deploy the agents, are there any suggestions on best practices in doing this with remote people?

Our vendor noted that we may be able to "hack" the configuration on each persons pc, by changing the following in the .ovpn file:

"proto tcp "

to 

"proto udp"

save the changes and it will convert everything over to UDP without the need to redeploy everyone. Is this a viable option?

Thanks in advance for any assistance. 



This thread was automatically locked due to age.
Parents
  • Hi John,

    we have an issue with disconnects after key lifetime. I guess this is somewhat related to the fact that we use 2 factor authentication. The support suggested to switch to UDP (which might help). I was also told to disable the compression (which might be an issue bandwidth vs. cpu/computing speed).

    AFIK the SSL VPN connection does not "survive" a change of the cluster node. I can not say this for XG but it is what I notice on SG which uses the same VPN software we need to reconnect after changing the active node.

    I also tried to find out what changes require a new download of the client configuration file. Just found out that changing the key renewal time can be done without downloading the client file. There might be a possibility to change the server configuration + do a manual change in the client file but I guess you need to do trial and error on this.

    Regarding your vpn scenario - I did not understand it completely.

    You are using "fat" clientsoftware on a pc in order to do a database query that will do a query that results in a dataset of 20.000 lines that need to be/downloaded on your computer?

    What exactly is the difference of 1) and 2).

    Regarding 3) VPN Connection: If the communication of the database client software with the database server requires a lot of communication going back and forth this gets slow on a low bandwidth / high latency connection. You might consider to analyse what is actually happening in a tool like wireshark. (As a worst case consider that the client ist getting the result line by line). It is always a good idea to place the client as near as possible to the server and just transfer the display information to the client.
    This is done in Software like RDP or Citrix.

    This is like actually working on the database server. Even putting a terminal server in your company and accessing it via Citrix or Terminal services might be much faster if you have significantly more bandwidth and/or less latency from the company to your database server.

    Best regards,
    Bernd

  • Takeover will result in a VPN reconnect, as the SAs etc. are not synced on the appliances. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/haStartupGuide/concepts/HAOperation.html 

    Sophos Connect 2.0 is able to sync the new config for you. So moving to Sophos Connect seems to me a smart move in the first place. You can roll out the universal config file to all users, they will fetch their OpenVPN Config. It will also provide the flexibility to move configration changes all the time. 

    __________________________________________________________________________________________________________________

Reply Children
No Data