Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 49701 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
Parents
  • 0

    The big question is why on earth would you configure a VPN connection to use TCP.

     

    If you think about the layers of network traffic, it doesn't matter if the VPN connection is UDP as the TCP connection connecting to services over the UDP VPN will take care of any issues....

     

    This gent sums it all up perfectly.

     

    www.youtube.com/watch

  • 0 in reply to BLS

    Because you can't control which ports are open on public networks like hotels, cafés etc. or company networks with guest WLAN? Ports 80 and 443 TCP will be open for sure, while i often encountered 80 and 443 UDP being closed.

     with Sophos Connect Client i get the very same results as with the Open VPN client for both, TCP and UDP.

  • 0 in reply to BLS

    Can we please remain on the thread topic in here?

    The question on this thread is about the enormous difference in throughput between TCP and UDP for SSL VPN, and also the difference on the throughput between Sophos Connect 2.0 and the standard SSLVPN client from the user portal.

    If you want to discuss the difference or about the security standard, or anything that isn't related to this thread topic (Throughput), feel free to open a new thread about it.


    Meanwhile, let's try to remain on the topic so this issue can be fixed as fast as possible.

     

    Thanks!

  • 0 in reply to BLS

    Hello BLS,

    I don't want to touch you in any way, but the SHA1 protocol has not been recommended for many years. I would recommend you to use at least the SHA2 256 protocol.

    I'm finishing, I think it will be better to leave both this thread and this product as well. The quality, reliability, functions and features of XG are (at a comparable price) significantly worse than competing products.

    I say goodbye, so far in this thread, but I think that very soon with this product as well. Only a waste of time ....

    Regards

    alda

  • 0 in reply to Prism

    Read what I have written - I have stayed on topic - and have given the answer to the question...

     

    I will repeat it again.

     

    Changing the SHA setting to SHA-1 has worked to increase the TCP performance for customers - yes I understand the security implication of this - hence why I was asking is there any reason why TCP has to be used - which I got back an aggressive answer - I was just trying to highlight the reasoning why UDP would be better than TCP, and provided interesting knowledge on why if UDP can be used to use it.

     

    I'm fully well aware that changing to SHA-1 is not ideal - hence why UDP would be better, and again to sound like a broken record why I asked why UDP couldn't be used.

     

    Before I recommend anything to anybody, it's useful to get a bit of background on the situation, what their functional and non-functional requirements are, so that you can make an educated and informed decision as to what to suggest - if I just went in pressing buttons like has been suggested previously, that would be dangerous and could leave systems vulnerable to attacks.

  • 0 in reply to BLS

    If you think i'm rude, sorry, but i got annoyed by your incorrect comments. Here are the default settings from UTM9. Find your mistake:

  • 0 in reply to Dreamcatcher

    Then I stand corrected - as I said it's been a long time since I touched UTM and I know there were issues with SHA256 and OpenVPN and other VPN clients over TCP, not just with the Sophos XG, also seen this with the UTM and some Palo Alto devices as well - from what I could work out it was all down to the security, the ISP and the way that traffic is single threaded and dropping tons of packets when it attempted multi threading the traffic.

     

    I remember the UTM only having MD5 and SHA1 as options, and if you read through this...Remote Access via SSL (UTM 9, English) - you will see that it stated only those two as supported for the authentication algorithm, hence the statement that there are more options available on the XG over the UTM, and the caveat that it's been a while.

     

  • 0 in reply to BLS

    Are you trolling or something? AGAIN: IT IS WORKING FINE ON UTM WITH DEFAULT SETTINGS, THEREFORE IT IS WORKING FINE WITH SHA256 ON UTM, WHILE IT'S NOT WITH XG, SO HOW IN THE WORLD ARE YOU CORRECT AT ALL?!

    Oh, and for the record: the shown settings are a part of UTM for years now.

  • 0 in reply to Dreamcatcher

    Dreamcatcher said:

    Are you trolling or something? AGAIN: IT IS WORKING FINE ON UTM WITH DEFAULT SETTINGS, THEREFORE IT IS WORKING FINE WITH SHA256 ON UTM, WHILE IT'S NOT WITH XG, SO HOW IN THE WORLD ARE YOU CORRECT AT ALL?!

     

    Excuse me?

    How rude - good luck getting your problem sorted.

    My next question after asking why you couldn't use UDP was what settings do you have on the UTM - and then share my experience I have found with my customers over the XG and setting that I found that worked - that's what a public forum is all about, none of us work for Sophos and are giving up our free time to try to assist individuals.

     

    In order to work out a solution you have to start from the beginning, not from the middle and make assumptions - if there are questions that you can't answer without guessing, then they need to be answered to get the full picture. When you said default settings, for me the default settings with the UTM when I last used one was SHA-1 - so the question needed to be asked what do you have for default settings - we didn't get that far as you decided to have a meltdown.

     

    Anyways - good luck, think you'll need it.

  • 0 in reply to BLS

    Are you kidding me? You claimed SHA Version is the problem and it was clear since the beginning of this thread that this is nonsense! Now stop derailing this thread!

  • 0 in reply to Dreamcatcher

    What I said is that I've found that changing to SHA-1 on the XG improved the TCP performance with SSL VPN - and that's fixed it for now - not idea as it lowers the security - but for TCP traffic it fixes it.

    Food for thought.

  • 0 in reply to Dreamcatcher

    I'm unsubscribing from this thread because my inbox has been being spammed all day with a juvenile temper tantrum. It's abundantly clear to anyone who has suffered through this thread who the one person who can't think outside their own little sandbox is. If you're doing this work professionally, I would hope that you conduct yourself with the same thought and consideration here that you do with your IRL colleagues. I can't imagine anyone putting up with this in a professional setting.

Reply
  • 0 in reply to Dreamcatcher

    I'm unsubscribing from this thread because my inbox has been being spammed all day with a juvenile temper tantrum. It's abundantly clear to anyone who has suffered through this thread who the one person who can't think outside their own little sandbox is. If you're doing this work professionally, I would hope that you conduct yourself with the same thought and consideration here that you do with your IRL colleagues. I can't imagine anyone putting up with this in a professional setting.

Children
No Data