This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Extremely slow inter vlan performance

Hi
I'm a home user and I've been running Sophos UTM for a number of years and decided recently to make the switch to XG Firewall.

I started on 17.5.3 MR-3 and am now on 17.5.8 MR8. And I'm was sure that since 17.5.6 MR6 that my internet throughput dropped dramatically and some internet speed tests confirmed this.

My setup is on Linux running Sophos XG Firewall on kvm

My network is on different vlans including the WAN interface as my ISP requires that WAN traffic is on VLan10.

after 17.5.6 I moved back to Sophos UTM back to normal throughput. I have two VMs , Sophos UTM and XG that I can start which depending on what one I want to be my firewall.

An example of iperf traffic between VLans on the different products.

Sophos UTM:

$ iperf -c 192.168.4.2
------------------------------------------------------------
Client connecting to 192.168.4.2, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.3.2 port 60046 connected with 192.168.4.2 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.0 sec 956 MBytes 801 Mbits/sec

Sophos XG Firwall:

$ iperf -c 192.168.4.2
------------------------------------------------------------
Client connecting to 192.168.4.2, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[ 3] local 192.168.3.2 port 60392 connected with 192.168.4.2 port 5001
[ ID] Interval Transfer Bandwidth
[ 3] 0.0-10.2 sec 13.8 MBytes 11.3 Mbits/sec

I've disabled IPS on the firewall rules and stopping the IPS service doesn't improve performance.

This thread was automatically locked due to age.

0 LuCar Toni over 6 years ago

Sounds odd to me - Maybe some routing issues? packets got lost in the transmission and occurs re transmissions?

Even if you ISP (as service) does not improve anything, such a drop sounds like some issues with the routing or maybe interface?

Check the XG interface status (ethtool on advanced Shell). Maybe some interface is setup to a wrong negation mode?
Cancel
Vote Up 0 Vote Down

Cancel

0 Byron Collins over 6 years ago in reply to LuCar Toni

All devices are using the virtio driver so display no information except for link up and no errors shown using bwmon

Fullscreen sophos-xg-firewall-troubleshooting.txt Download


  Bandwidth Monitor, (Sampling at every 0.500s), press 'h' for help          

  /         iface                   Rx                   Tx                Total
  ==============================================================================
            PortA:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.60:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.40:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.20:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.30:            0.00 E/s             0.00 E/s             0.00 E/s
          GuestAP:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.99:            0.00 E/s             0.00 E/s             0.00 E/s
            PortB:            0.00 E/s             0.00 E/s             0.00 E/s
         PortB.10:            0.00 E/s             0.00 E/s             0.00 E/s
               lo:            0.00 E/s             0.00 E/s             0.00 E/s
           ipsec0:            0.00 E/s             0.00 E/s             0.00 E/s
             imq0:            0.00 E/s             0.00 E/s             0.00 E/s
  ------------------------------------------------------------------------------
            total:            0.00 E/s             0.00 E/s             0.00 E/s



SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortA.99
driver: 802.1Q VLAN Support
version: 1.8
firmware-version: N/A
bus-info: 
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortA
driver: virtio_net
version: 1.0.0
firmware-version: 
bus-info: 0000:00:03.0
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortB
driver: virtio_net
version: 1.0.0
firmware-version: 
bus-info: 0000:00:04.0
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortB.10
driver: 802.1Q VLAN Support
version: 1.8
firmware-version: N/A
bus-info: 
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortB
Settings for PortB:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortB.10
Settings for PortB.10:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA.90
Settings for PortA.90:
Cannot get device settings: No such device
Cannot get wake-on-lan settings: No such device
Cannot get message level: No such device
Cannot get link status: No such device
No data available
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA.99
Settings for PortA.99:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# 
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA
Settings for PortA:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8#

0 Byron Collins over 5 years ago in reply to Byron Collins

Routing looks fine:

Sophos Firmware Version SFOS 17.5.8 MR-8

console> system diagnostics utilities netconf route get 192.168.4.2
192.168.4.2 dev PortA.99 src 192.168.4.1
    cache
console> system diagnostics utilities netconf route get 192.168.3.2
192.168.3.2 dev PortA.30 src 192.168.3.1
    cache
console> system diagnostics utilities netconf route get 8.8.8.8
8.8.8.8 via 121.99.212.1 dev PortB.10 src 121.99.215.228
    cache
console>
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 5 years ago in reply to Byron Collins

You should start to tcpdump this traffic to see, if there is a routing issue for some clients.
Cancel
Vote Up 0 Vote Down

Cancel
0 Byron Collins over 5 years ago in reply to LuCar Toni

Hi

I ran a tcpdump port 5001 -w for both Sophos UTM and Sophos XG while doing a iperf test between those two VLANs

Sophos XG 11.0 Mbits/sec
Sophos UTM 724 Mbits/sec

I don't understand fully what it shows me but....

There is a lot of the following type of errors reported for Sophos XG

9515   7.578464   192.168.3.2   192.168.4.2   TCP   2962   [TCP Previous segment not captured] 47324 → 5001 [PSH, ACK] Seq=10500897 Ack=1 Win=29312 Len=2896 TSval=871815988 TSecr=1243383516
9516   7.578472   192.168.4.2   192.168.3.2   TCP   78   [TCP Dup ACK 9514#1] 5001 → 47324 [ACK] Seq=1 Ack=10496553 Win=185856 Len=0 TSval=1243383517 TSecr=871815987 SLE=10500897 SRE=10503793
9523   7.580498   192.168.3.2   192.168.4.2   TCP   1514   [TCP Out-Of-Order] 47324 → 5001 [ACK] Seq=10498001 Ack=1 Win=29312 Len=1448 TSval=871815990 TSecr=1243383518
9525   7.581336   192.168.3.2   192.168.4.2   TCP   1514   [TCP Retransmission] 47324 → 5001 [ACK] Seq=10499449 Ack=1 Win=29312 Len=1448 TSval=871815991 TSecr=1243383519

But only a few of the following types of errors fort Sophos UTM

33955   6.997753   192.168.3.2   192.168.4.2   TCP   37714   [TCP Previous segment not captured] 47448 → 5001 [ACK] Seq=626648369 Ack=1 Win=29312 Len=37648 TSval=872273324 TSecr=1243840846
33956   6.997906   192.168.4.2   192.168.3.2   TCP   66   [TCP ACKed unseen segment] 5001 → 47448 [ACK] Seq=1 Ack=626686017 Win=3144576 Len=0 TSval=1243840862 TSecr=872273323

I'll attach the compressed pcap files.

The Sophos UTM and XG VMs are running on the exactly same hardware and network infrastructure.

Regards
Byron

tcpdump_5001.zip
Cancel
Vote Up 0 Vote Down

Cancel