Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 27 subscribers
  • Views 5318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Extremely high latency on incoming WAN connections (XG Home)

Oliver Harriman

Hi all,

I have been having an absolutely miserable time trying to connect from the WAN side of the firewall to the firewall or to the LAN. When trying to connect to anything on the other side of the FW, there is a 90% chance it will timeout due to extreme latency issues.

My setup is the software version of XG with a home license. When hosts in the WAN try to ping the WAN interface of the firewall or anything in the LAN, the pings get through, however the latency is anywhere between 200ms and 2000ms constantly. When devices in the LAN side ping the LAN interface, there is virtually no latency and no problems. In addition, when I ping the WAN gateway from the firewall, I am seeing between 100ms and 1000ms of latency.

I have followed step 4 in the following guide, however I can not see any issues on the interface and auto negotiate is working as expected.

https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/79041/troubleshooting-guide-for-xg

In addition, I have attached a PC in the place of the firewall, and when that is pinged, there is a constant latency of about 8-15ms.

I have ping enabled for the WAN interface of the firewall, as well as a temporary accept any any firewall rule with only NAT as a feature.

Does anyone have any idea what may be causing the latency issues experienced?

Kind regards



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    what is the NIC hardware? Is there a chance the cable is a crossover and the NIC is not capable of correctly auto negotiating with the other end?

    When looking at the GUI -> IPS what do you see in the fields, yes, you are not using IPS, but unless you disable the DOS there is a chance that will affect your internet connections.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Hardware is a Sophos SG230 firewall which has XG installed. Cable is definitely a straight through and both ends are auto negotiating to 100/full.

    Under DOS protection, I am seeing all items as not applied and no traffic dropped.

    Kind regards,

    Oliver

  • 0 in reply to Oliver Harriman

    Hi Oliver,

    next.

    1/. have you tried from the XG GUI?

    2/. are you using URLs or IP addresses for the tests. If you are using URLs this issue might indicate a DNS configuration error.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I am unsure what you mean by have I tried from the XG GUI. I have checked the settings on there although it is a pain as the page keeps timing out with the latency issues.

    I am using URLs in order to ping individual hosts and no DNS is involved currently except purely internally on the LAN side.

    Kind regards,

    Oliver

  • 0 in reply to Oliver Harriman

    Hi Oliver,

    the XG GUI has some tests on the network page.

    If you are using URLs how are they being resolved.

    From what you just reported that the XG GUI keeps timing out points to you having network issues on your LAN.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I will have to check out those tests on the network page as I have never looked at them before.

    URLs within the LAN are being resolved by the local DNS server which then forwards to public DNS server, however throughout all the testing I am not using names, only IP addresses in order to keep it simple.

    The XG GUI timing out is when I am connecting to it externally via the WAN address, I should have probably clarified that. I am not in a position where I am able to connect via the LAN side yet due to some design constraints while integrating this with the current network.

    To summarise what I am noticing is all packets that pass through the WAN interface to the CPU of the firewall seems to come out with up to 2000ms latency. The LAN interface is not affected in the same way.

    I am now going to be away for the weekend without access to the system for testing. I will be checking my email so any further ideas and questions about this is much appreciated and will be answered.

    Kind regards,

    Oliver

  • 0 in reply to Oliver Harriman

    Hi all,

    After several weeks with absolutely no issues, I rebooted the firewall only to have the extreme latency start again.

    It is the same results as before, where when trying to ping the WAN interface of the firewall, I receive minor packet loss and a latency between 1000 and 2000 ms.

    Interestingly, when rebooting I left a continuous ping running, and the latency only seems to spike after a certain amount of boot time.

    This is leading me to believe is may be a module in the software that could be causing this.

    Does anyone have any ideas what could be wrong?

    No configuration changes were made before the reboot that restarted this issue.

    Kind regards,

    Oliver

Reply
  • 0 in reply to Oliver Harriman

    Hi all,

    After several weeks with absolutely no issues, I rebooted the firewall only to have the extreme latency start again.

    It is the same results as before, where when trying to ping the WAN interface of the firewall, I receive minor packet loss and a latency between 1000 and 2000 ms.

    Interestingly, when rebooting I left a continuous ping running, and the latency only seems to spike after a certain amount of boot time.

    This is leading me to believe is may be a module in the software that could be causing this.

    Does anyone have any ideas what could be wrong?

    No configuration changes were made before the reboot that restarted this issue.

    Kind regards,

    Oliver

Children
  • 0 in reply to Oliver Harriman

    Small update:

     

    After getting frustrated with this and going to get some food, I come back an hour later and the latency is gone!

    I am getting constant <20ms latency to the WAN interface no problem.

    I am still curious to why this may be occurring so any input is appreciated!

  • +1 in reply to Oliver Harriman

    Hi Oliver,

    there is always a delay immediately after a reboot, all anti-xxx files and DNS need to update and depending on your line speed as to how long this takes.

    Further the delay will be affected by your DNS setup.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    What you are saying does make sense. I understand that all the signature files will need to check for, and possibly download updates.

    However, 60-90 minutes does seem a little excessive on a 50Mbps internet connection with virtually no load.

    Additionally neither the interface, total available bandwidth, memory nor CPU were showing over-utilisation which I guess caused the frustrations.

    Either way I think I understand more or less what is happening so I will mark this as resolved. I would still encourage people if they have a bit of time to see if they can reproduce this.

    Thank you very much for all your input!

    Kind regards,

    Oliver

  • 0 in reply to Oliver Harriman

    Hi Oliver,

    Mine takes about 5 minutes before it is usable on a 100/40, took just as long on the 50/20, then the 5ghz SSIDs take another 5 minutes. Supposed to have been fixed a release or two ago.

    If you have an internal DNS which the XG points at that will slow things down as the XG DNS updates even if you are using IP. XG does not multi-task well when updating.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I think you are spot on the money with the internal DNS server.

    What I believe is happening is the firewall is requesting DNS resolutions from my internal DNS server which is in turn trying to forward the request to the external server.

    However the connection from the internal DNS outbound is so poor due to the dodgy connection it is just compounding, especially if the DNS requests are timing out at less than 2 seconds.

    With your advise, I have changed the DNS server on the firewall to an external one. I will make sure I time the unreliability next time I am required to reboot.

    The inability to multitask seems to be a massive drawback to a product I am otherwise enjoying quite thoroughly.

    I am hoping Sophos releases a patch soon that will perform the updates in a less gluttonous, more resource sensible way.

    Kind regards,

    Oliver