Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 2681 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Extremely slow inter vlan performance

Byron Collins

Hi 
I'm a home user and I've been running Sophos UTM for a number of years and decided recently to make the switch to XG Firewall.

I started on 17.5.3 MR-3 and am now on 17.5.8 MR8. And I'm was sure that since 17.5.6 MR6 that my internet throughput dropped dramatically and some internet speed tests confirmed this.

My setup is on Linux running Sophos XG Firewall on kvm

My network is on different vlans including the WAN interface as my ISP requires that WAN traffic is on VLan10.

after 17.5.6 I moved back to Sophos UTM back to normal throughput. I have two VMs , Sophos UTM and XG that I can start which depending on what one I want to be my firewall.

 

An example of iperf traffic between VLans on the different products.

Sophos UTM:


$ iperf -c 192.168.4.2
------------------------------------------------------------
Client connecting to 192.168.4.2, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.3.2 port 60046 connected with 192.168.4.2 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   956 MBytes   801 Mbits/sec

Sophos XG Firwall:

$ iperf -c 192.168.4.2
------------------------------------------------------------
Client connecting to 192.168.4.2, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.3.2 port 60392 connected with 192.168.4.2 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.2 sec  13.8 MBytes  11.3 Mbits/sec

I've disabled IPS on the firewall rules and stopping the IPS service doesn't improve performance.



This thread was automatically locked due to age.
Parents
  • 0

    Sounds odd to me - Maybe some routing issues? packets got lost in the transmission and occurs re transmissions? 

    Even if you ISP (as service) does not improve anything, such a drop sounds like some issues with the routing or maybe interface?

    Check the XG interface status (ethtool on advanced Shell). Maybe some interface is setup to a wrong negation mode? 

Reply
  • 0

    Sounds odd to me - Maybe some routing issues? packets got lost in the transmission and occurs re transmissions? 

    Even if you ISP (as service) does not improve anything, such a drop sounds like some issues with the routing or maybe interface?

    Check the XG interface status (ethtool on advanced Shell). Maybe some interface is setup to a wrong negation mode? 

Children
  • 0 in reply to LuCar Toni

    All devices are using the virtio driver so display no information except for link up and no errors shown using bwmon

     

    Fullscreen sophos-xg-firewall-troubleshooting.txt Download 
    
  Bandwidth Monitor, (Sampling at every 0.500s), press 'h' for help          

  /         iface                   Rx                   Tx                Total
  ==============================================================================
            PortA:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.60:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.40:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.20:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.30:            0.00 E/s             0.00 E/s             0.00 E/s
          GuestAP:            0.00 E/s             0.00 E/s             0.00 E/s
         PortA.99:            0.00 E/s             0.00 E/s             0.00 E/s
            PortB:            0.00 E/s             0.00 E/s             0.00 E/s
         PortB.10:            0.00 E/s             0.00 E/s             0.00 E/s
               lo:            0.00 E/s             0.00 E/s             0.00 E/s
           ipsec0:            0.00 E/s             0.00 E/s             0.00 E/s
             imq0:            0.00 E/s             0.00 E/s             0.00 E/s
  ------------------------------------------------------------------------------
            total:            0.00 E/s             0.00 E/s             0.00 E/s



SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortA.99
driver: 802.1Q VLAN Support
version: 1.8
firmware-version: N/A
bus-info: 
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortA
driver: virtio_net
version: 1.0.0
firmware-version: 
bus-info: 0000:00:03.0
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortB
driver: virtio_net
version: 1.0.0
firmware-version: 
bus-info: 0000:00:04.0
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool -i PortB.10
driver: 802.1Q VLAN Support
version: 1.8
firmware-version: N/A
bus-info: 
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortB
Settings for PortB:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortB.10
Settings for PortB.10:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA.90
Settings for PortA.90:
Cannot get device settings: No such device
Cannot get wake-on-lan settings: No such device
Cannot get message level: No such device
Cannot get link status: No such device
No data available
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA.99
Settings for PortA.99:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8# 
SFVH_KV01_SFOS 17.5.8 MR-8# ethtool PortA
Settings for PortA:
	Link detected: yes
SFVH_KV01_SFOS 17.5.8 MR-8#

  • 0 in reply to Byron Collins

    Routing looks fine:

     

    Sophos Firmware Version SFOS 17.5.8 MR-8

    console> system diagnostics utilities netconf route get 192.168.4.2
    192.168.4.2 dev PortA.99  src 192.168.4.1
        cache
    console> system diagnostics utilities netconf route get 192.168.3.2
    192.168.3.2 dev PortA.30  src 192.168.3.1
        cache
    console> system diagnostics utilities netconf route get 8.8.8.8    
    8.8.8.8 via 121.99.212.1 dev PortB.10  src 121.99.215.228
        cache
    console>

  • 0 in reply to Byron Collins

    You should start to tcpdump this traffic to see, if there is a routing issue for some clients. 

  • 0 in reply to LuCar Toni

    Hi

    I ran a tcpdump port 5001 -w for both Sophos UTM and Sophos XG while doing a iperf test between those two VLANs

    Sophos XG 11.0 Mbits/sec
    Sophos UTM 724 Mbits/sec

    I don't understand fully what it shows me but....

    There is a lot of the following type of errors reported for Sophos XG

    9515    7.578464    192.168.3.2    192.168.4.2    TCP    2962    [TCP Previous segment not captured] 47324 → 5001 [PSH, ACK] Seq=10500897 Ack=1 Win=29312 Len=2896 TSval=871815988 TSecr=1243383516
    9516    7.578472    192.168.4.2    192.168.3.2    TCP    78    [TCP Dup ACK 9514#1] 5001 → 47324 [ACK] Seq=1 Ack=10496553 Win=185856 Len=0 TSval=1243383517 TSecr=871815987 SLE=10500897 SRE=10503793
    9523    7.580498    192.168.3.2    192.168.4.2    TCP    1514    [TCP Out-Of-Order] 47324 → 5001 [ACK] Seq=10498001 Ack=1 Win=29312 Len=1448 TSval=871815990 TSecr=1243383518
    9525    7.581336    192.168.3.2    192.168.4.2    TCP    1514    [TCP Retransmission] 47324 → 5001 [ACK] Seq=10499449 Ack=1 Win=29312 Len=1448 TSval=871815991 TSecr=1243383519

    But only a few of the following types of errors fort Sophos UTM

    33955    6.997753    192.168.3.2    192.168.4.2    TCP    37714    [TCP Previous segment not captured] 47448 → 5001 [ACK] Seq=626648369 Ack=1 Win=29312 Len=37648 TSval=872273324 TSecr=1243840846
    33956    6.997906    192.168.4.2    192.168.3.2    TCP    66    [TCP ACKed unseen segment] 5001 → 47448 [ACK] Seq=1 Ack=626686017 Win=3144576 Len=0 TSval=1243840862 TSecr=872273323

    I'll attach the compressed pcap files.

    The Sophos UTM and XG VMs are running on the exactly same hardware and network infrastructure.

    Regards
    Byron


    tcpdump_5001.zip