Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 49657 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
Parents
  • 0

    The big question is why on earth would you configure a VPN connection to use TCP.

     

    If you think about the layers of network traffic, it doesn't matter if the VPN connection is UDP as the TCP connection connecting to services over the UDP VPN will take care of any issues....

     

    This gent sums it all up perfectly.

     

    www.youtube.com/watch

  • 0 in reply to BLS

    Because you can't control which ports are open on public networks like hotels, cafés etc. or company networks with guest WLAN? Ports 80 and 443 TCP will be open for sure, while i often encountered 80 and 443 UDP being closed.

     with Sophos Connect Client i get the very same results as with the Open VPN client for both, TCP and UDP.

  • 0 in reply to Dreamcatcher

    Which in itself is a good thing, my clients supply their users with mobile 4G devices, connecting to any public hotspot is a danger - just the use of a WiFi pineapple for example could be very costly to a company.

  • 0 in reply to BLS

    Again you are not able to think outside your own little sandbox. Maybe just ask sophos why TCP is the default setting for SSL VPN? Maybe there are companies outside that don't want to or simply can't pay a lot of money for fast mobile internet, because much data needs to be transfered? Maybe there are locations outside, where 4G isn't available or where you just have a bad reception?

    Maybe there is something existing out of your little world and it doesn't matter at all what you think about if it is useful or not, because your opinion is not the reason that it isn't working while it should.

  • 0 in reply to Dreamcatcher

     

     

    WOW....That's what I call some attitude...

     

    Yes there is something outside my little world - it's called being hacked....not something that I can say has happened to any of my clients or their users - because I implement things to a secure standard.

     

    I can understand that there are issues with TCP VPN here, but this potentially is possible that is caused by a networking situation, and an understanding how TCP/UDP and layers of network traffic on a VPN connection is important.

     

    Personally I haven't seen any issues with TCP or UDP VPN connections with the Sophos XG, until I have been on a connection that the ISP filters someplace, like through the IWF - and this has slowed down the threads where they are arriving late and out of order, causing TCP to do what it does best and resent all the blocks, which then means that the file transfer over the VPN is resending or timing out...

     

    This was why I linked to the video, as this guy explains it better than some of the other YouTubes I looked at for this issue and to give an understanding of TCP/UDP connections.

     

    Something that hasn't been explained before in this thread, and is an aspect to be explored.

  • 0 in reply to BLS

    Then don't start an argument on a problem related thread about something being useful or not! And when UTM and XG perform different with the very same internet connection used, it has nothing to do with ISP, maybe read the thread and stop arguing about TCP on VPN, you can do this somewhere else!

  • 0 in reply to Dreamcatcher

    Eh?  Since when has asking a question been starting an argument?

     

    Tell you what - go pound sand - I think I know what the issue is - but was just asking some simple questions before to get an understanding of your requirements - I'm not wasting my time anymore.

  • 0 in reply to BLS

    Thank you for not wasting my time anymore. Go offtopic somewhere else. Thanks!

Reply Children
  • 0 in reply to Dreamcatcher

    The worst thing is that you've wasted your own time with your attitude - live and learn..Especially about the impacts of AES, BASE-10, MTU, Cyphers, OSI Model, TCP, UDP, VPN - the answer from past experience is one, maybe two of them...over and out...

     

    the problem is with your configuration - not with the software of the firewall..

  • 0 in reply to BLS

    Ok, it's my configuration, check. That's why it's working fine with UTM and not with XG and everyone else is having the very same problem, cause our configuration is bad. Thank you for the clarification, now just go on and leave, thanks.

  • 0 in reply to Dreamcatcher

    Yup your configuration - there are more options to configure in XG than there are for UTM - some of which play havoc with TCP.

  • 0 in reply to BLS

    Hello BLS,

    You are really very wrong in many ways. You probably don't know the possibilities of remote access configuration in UTM v9 vs. XG. Otherwise, you couldn't write such nonsense that XG has more options in configuring remote access by SSL VPN in XG. Please first see what options UTM v9 has.
    Dreamcatcher is right, please leave this thread.

    Regards

    alda

  • 0 in reply to alda

    I have seen the options that are there - unless they have changed in 8 months since I last touched a UTM - so memory is a little hazy.

     

    Anyways - the clues to the problem are all there.  You try to be helpful but met with individuals with an egregious personality - kinda makes you not wish to help...

     

    The clue is in there somewhere...

     

     

     

    Compare them to a UTM - what's different with the default settings, and there will be your answer.

  • 0 in reply to BLS

    Besides the fact that your claims about UTM are complete nonsense: this would mean that Sophos is shipping XG firewall with a bad default configuration, because the problem exists without altering the settings at all.

  • 0 in reply to Dreamcatcher

    I'm just going by memory of the UTM - and it's been a while - so I'm sure you can forgive me on that one - from what I recall the settings for SSL VPN on the XG was a lot less than you get with the XG - might be that everything is on one page now, but it's been a while and can't fully remember what was there on the UTM.

     

    Just like I'll forgive your rudeness - try the SHA setting and change it to SHA1 - the reason I was asking if there is a particular reason not to use UDP was because with TCP I have noted an issue with anything other than SHA-1 together with OpenVPN and other clients that use SSL VPN.

     

    Might not fix your issue - but if it does you can say welcome later.

  • 0 in reply to BLS

    Dear BLS,

    please do one thing for everyone else. Read the whole thread from the beginning. Then you will understand what the problem is. The problem is in the very poor throughput of TCP vs. UDP in XG. The throughput for TCP is about one quarter for XG compared to UDP. However, in the case of UTM v9 with the same settings and the same parameters, the TCP protocol does not have such poor throughput.

    Have you understood what is being discussed in this thread? Please read it from the beginning as Dreamcatcher asked you.

    I'm sorry, I can't offer you anything better.

    Regards

    alda

  • 0 in reply to alda

    I have read it - and I just simply asked the question why can't UDP be used for VPN rather than TCP, and what was the requirement - I didn't expect a full on illiterate rant following after that.

     

    The fix I've found has to either just stick with UDP or change to SHA-1 - and for all the clients that I've had, we went to UDP although changing to SHA-1 fixed the TCP issue.

     

    Lesson for me learnt, don't help anybody anymore, it's people like you that remove the fountain of knowledge from forums with your bad attitudes, and make support expensive not just for yourself but for everybody else - and then complain about it.

     

  • 0 in reply to BLS

    Can we please remain on the thread topic in here?

    The question on this thread is about the enormous difference in throughput between TCP and UDP for SSL VPN, and also the difference on the throughput between Sophos Connect 2.0 and the standard SSLVPN client from the user portal.

    If you want to discuss the difference or about the security standard, or anything that isn't related to this thread topic (Throughput), feel free to open a new thread about it.


    Meanwhile, let's try to remain on the topic so this issue can be fixed as fast as possible.

     

    Thanks!