Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 49657 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
Parents
  • 0

    Shouldnt be the case, as i tested it with Sophos Connect 2.0 back in the days on multiple devices. 

    Do you use Compression on SSLVPN? 

    Did you try Sophos Connect 2.0 or the OpenVPN Client? 

    Did you only try SMB? Can you try other protocols, as SMB can actually cause such problems (re transmissions). 

    Likely caused by MTU Issues: https://forums.openvpn.net/viewtopic.php?t=25039

     

     

  • 0 in reply to LuCar Toni

    I really need this to get sorted out, otherwise we will stop deploying XG firewalls to our customers. Since it has nothing to do with SMB and SG Firewall is using the very same MTU size, it should be something else going on.

  • 0 in reply to LuCar Toni

    Can't we compare something from UTM too? I have access to at least two appliances with connections that have 53 Mbit/s upload, just tell me what to look for.

  • 0 in reply to Dreamcatcher

    To use a UTM would be to compare a OpenVPN Server. Basically a different platform. You can compare the pushed mechanism, of course. 

    Using the same client with different OVPN, you could compare the pushed mechanism, but the results wouldnt be the same, as the server platform is "different". 

    Still not clear, if this is caused by the Client or the server platform: So if the platform is causing this, this comparison would not help. If the client caused this performance, a comparison could help. 

    You should simply compare the OVPN Logs of both appliances on the Client. What will you get by XG / UTM. If one is pushing a option more / less, this could be the cause of this performance issue. 

    But i would rather recommend to use Sophos Connect 2.0 and test it with XG. Compare the values and report back, if you see a difference or not. 

  • 0 in reply to LuCar Toni

    I uninstalled openVPN and installed the new SC2, but still the old slow results with 12/8 MBits. ;-(

  • 0 in reply to LuCar Toni

    LuCar Toni said:
    Feel free to compare both Logs (Sophos Connect and OpenVPN). you see all the Push Requests by XG. Do you see any difference? 

    In push requests I don't see any difference.

    The main difference from both clients is the TAP driver, they are completely different versions. And of course, the OpenVPN Version on both of them are different, together with openssl. SC 2.0 uses a much newer version.

    LuCar Toni said:
    MTU size

    Looking at the drivers options the SC 2.0 EAP had an MTU of 1400 while the OpenVPN Client from the User Portal had an MTU of 1500.

    Is there any more information needed?

     

    Thanks!

  • 0 in reply to Prism

    To get back to  as he is one of the only person in this thread getting more Performance through the tunnel with a windows Client. 

    Could we get insight of this Windows Client? Which Version is windows running? How many interfaces (plus virtual) interface are running? 

    Still stuck my head in the differences between Unix and Windows in handling this Session, because Linux overall seems not have any issue with the configuration at all. 

    So it seems like something on Windows limits the download performance but not all Windows Clients. 

     

    Spend some time to regenerate the certificates used by XG with different algorithm. Because likely we moved forward in XG as the used algorithms. So the used certificates on UTM could differ from a XG installation in case of algorithm used. (In V18 you can use stuff like Elliptic curve).  

     

     

    Dumped this traffic but it looks like there are no Retransmissions or anything else, as indicators for performance degenerated factors. 

     

    So currently, if i recap this Thread: Nobody but  gets better throughput with Sophos Connect on Windows. Did somebody test other OS right now? Something like iOS/Android? 

    Config File can be exported and send via Email. Both platform have openVPN in their Appstores. 

  • 0 in reply to LuCar Toni

    Can we change the cryptographic settings and test again?

  • 0 in reply to LuCar Toni

    No issue at all ins't quite right. He said: "I've tried out on Linux machine with the latest version of OpenVPN, I've got 120Mbit/s over a single connection with TCP. (Still a lot slower than UDP.)"

  • 0 in reply to LuCar Toni

    Could we get insight of this Windows Client? Which Version is windows running? How many interfaces (plus virtual) interface are running? 

    This is from the laptop I've used to test it today.

    Windows 10 Home 2004

     

    Interfaces:

    Realtek 8168

    Qualcomm Atheros QCA3977

    Sophos TAP Adapter // Used by Sophos Connect 2.0

     

     

    I've regenerated the certificate with this Elliptic curve, and hash.

    And here's the crypto settings for the SSL VPN.

     

    Got the same results as before, TCP over the client that's available on the User Portal is stuck at 14-16Mbit/s while I can push 70-90Mbit/s on SC 2.0 EAP with TCP. (Sorry, this test has done before I managed to get home, did on bad wireless.)

     

    Still stuck my head in the differences between Unix and Windows in handling this Session, because Linux overall seems not have any issue with the configuration at all. 

    On Linux with the same setup with TCP and OpenVPN 2.4.9 I can push the same throughput than Sophos Connect 2.0 EAP with TCP.

    But still a lot slower than UDP, which on both situations (Linux or Sophos Connect 2.0 on Windows) can push 300Mbit/s over a single client and connection.  Which It's only limited by the CPU my XG is using, (and also AES-NI not being available on the Software Version.)

     

     

    Here's a TL;DR about throughput on my XG.

     

    Windows 10 2004 with SSL VPN TCP;

    OpenVPN Client from the User Portal = 14-16Mbit/s limit

    Sophos Connect 2.0 EAP (On Wired) = 120Mbit/s limit.

     

    Windows 10 2004 with SSL VPN UDP:

    Sophos Connect 2.0 EAP (On Wired) = 300Mbit/s, with peaks to 320Mbit/s.

     

    Linux Kernel 5.7.2 with OpenVPN 2.4.9 over TCP = 120Mbit/s (Same as Sophos Connect.)

    Linux Kernel 5.7.2 with OpenVPN 2.4.9 over UDP = 300Mbit/s, with peaks to 320Mbit/s. (Same as Sophos Connect.)

     

    The main issue here on the slow network comes from the OpenVPN client that is available on the User Portal, and at the same time on SC 2.0 and Linux It still 1/3 the throughput of UDP.

     

    EDIT: Sadly I can't do further testing since my ISP is dead right now.

    Thanks!

  • 0 in reply to Prism

    It's interesting that you get better results with Sophos Connect, since i'm getting exactly the same results as with the OpenVPN Client.

  • 0 in reply to Dreamcatcher

    So we would have to catch up on the 16 mbit/s difference to  120 mbit/s. 

    I found something, which could be the root cause, needs to be analysed for now. 

Reply Children