Poor SSL VPN performance when using TCP

The big question is why on earth would you configure a VPN connection to use TCP.

If you think about the layers of network traffic, it doesn't matter if the VPN connection is UDP as the TCP connection connecting to services over the UDP VPN will take care of any issues....

This gent sums it all up perfectly.

www.youtube.com/watch

Because you can't control which ports are open on public networks like hotels, cafés etc. or company networks with guest WLAN? Ports 80 and 443 TCP will be open for sure, while i often encountered 80 and 443 UDP being closed.

LuCar Toni with Sophos Connect Client i get the very same results as with the Open VPN client for both, TCP and UDP.

Yup your configuration - there are more options to configure in XG than there are for UTM - some of which play havoc with TCP.

Hello BLS,

You are really very wrong in many ways. You probably don't know the possibilities of remote access configuration in UTM v9 vs. XG. Otherwise, you couldn't write such nonsense that XG has more options in configuring remote access by SSL VPN in XG. Please first see what options UTM v9 has.
Dreamcatcher is right, please leave this thread.

Regards

alda

I have seen the options that are there - unless they have changed in 8 months since I last touched a UTM - so memory is a little hazy.

Anyways - the clues to the problem are all there.  You try to be helpful but met with individuals with an egregious personality - kinda makes you not wish to help...

The clue is in there somewhere...

Compare them to a UTM - what's different with the default settings, and there will be your answer.

Besides the fact that your claims about UTM are complete nonsense: this would mean that Sophos is shipping XG firewall with a bad default configuration, because the problem exists without altering the settings at all.

I'm just going by memory of the UTM - and it's been a while - so I'm sure you can forgive me on that one - from what I recall the settings for SSL VPN on the XG was a lot less than you get with the XG - might be that everything is on one page now, but it's been a while and can't fully remember what was there on the UTM.

Just like I'll forgive your rudeness - try the SHA setting and change it to SHA1 - the reason I was asking if there is a particular reason not to use UDP was because with TCP I have noted an issue with anything other than SHA-1 together with OpenVPN and other clients that use SSL VPN.

Might not fix your issue - but if it does you can say welcome later.

Dear BLS,

please do one thing for everyone else. Read the whole thread from the beginning. Then you will understand what the problem is. The problem is in the very poor throughput of TCP vs. UDP in XG. The throughput for TCP is about one quarter for XG compared to UDP. However, in the case of UTM v9 with the same settings and the same parameters, the TCP protocol does not have such poor throughput.

Have you understood what is being discussed in this thread? Please read it from the beginning as Dreamcatcher asked you.

I'm sorry, I can't offer you anything better.

Regards

alda

I have read it - and I just simply asked the question why can't UDP be used for VPN rather than TCP, and what was the requirement - I didn't expect a full on illiterate rant following after that.

The fix I've found has to either just stick with UDP or change to SHA-1 - and for all the clients that I've had, we went to UDP although changing to SHA-1 fixed the TCP issue.

Lesson for me learnt, don't help anybody anymore, it's people like you that remove the fountain of knowledge from forums with your bad attitudes, and make support expensive not just for yourself but for everybody else - and then complain about it.

Can we please remain on the thread topic in here?

The question on this thread is about the enormous difference in throughput between TCP and UDP for SSL VPN, and also the difference on the throughput between Sophos Connect 2.0 and the standard SSLVPN client from the user portal.

If you want to discuss the difference or about the security standard, or anything that isn't related to this thread topic (Throughput), feel free to open a new thread about it.

Meanwhile, let's try to remain on the topic so this issue can be fixed as fast as possible.

Thanks!

Hello BLS,

I don't want to touch you in any way, but the SHA1 protocol has not been recommended for many years. I would recommend you to use at least the SHA2 256 protocol.

I'm finishing, I think it will be better to leave both this thread and this product as well. The quality, reliability, functions and features of XG are (at a comparable price) significantly worse than competing products.

I say goodbye, so far in this thread, but I think that very soon with this product as well. Only a waste of time ....

Regards

alda

Read what I have written - I have stayed on topic - and have given the answer to the question...

I will repeat it again.

Changing the SHA setting to SHA-1 has worked to increase the TCP performance for customers - yes I understand the security implication of this - hence why I was asking is there any reason why TCP has to be used - which I got back an aggressive answer - I was just trying to highlight the reasoning why UDP would be better than TCP, and provided interesting knowledge on why if UDP can be used to use it.

I'm fully well aware that changing to SHA-1 is not ideal - hence why UDP would be better, and again to sound like a broken record why I asked why UDP couldn't be used.

Before I recommend anything to anybody, it's useful to get a bit of background on the situation, what their functional and non-functional requirements are, so that you can make an educated and informed decision as to what to suggest - if I just went in pressing buttons like has been suggested previously, that would be dangerous and could leave systems vulnerable to attacks.

Read what I have written - I have stayed on topic - and have given the answer to the question...

I will repeat it again.

Changing the SHA setting to SHA-1 has worked to increase the TCP performance for customers - yes I understand the security implication of this - hence why I was asking is there any reason why TCP has to be used - which I got back an aggressive answer - I was just trying to highlight the reasoning why UDP would be better than TCP, and provided interesting knowledge on why if UDP can be used to use it.

I'm fully well aware that changing to SHA-1 is not ideal - hence why UDP would be better, and again to sound like a broken record why I asked why UDP couldn't be used.

Before I recommend anything to anybody, it's useful to get a bit of background on the situation, what their functional and non-functional requirements are, so that you can make an educated and informed decision as to what to suggest - if I just went in pressing buttons like has been suggested previously, that would be dangerous and could leave systems vulnerable to attacks.