Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 49679 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
  • 0 in reply to Dreamcatcher

    Dreamcatcher said:

    Are you trolling or something? AGAIN: IT IS WORKING FINE ON UTM WITH DEFAULT SETTINGS, THEREFORE IT IS WORKING FINE WITH SHA256 ON UTM, WHILE IT'S NOT WITH XG, SO HOW IN THE WORLD ARE YOU CORRECT AT ALL?!

     

    Excuse me?

    How rude - good luck getting your problem sorted.

    My next question after asking why you couldn't use UDP was what settings do you have on the UTM - and then share my experience I have found with my customers over the XG and setting that I found that worked - that's what a public forum is all about, none of us work for Sophos and are giving up our free time to try to assist individuals.

     

    In order to work out a solution you have to start from the beginning, not from the middle and make assumptions - if there are questions that you can't answer without guessing, then they need to be answered to get the full picture. When you said default settings, for me the default settings with the UTM when I last used one was SHA-1 - so the question needed to be asked what do you have for default settings - we didn't get that far as you decided to have a meltdown.

     

    Anyways - good luck, think you'll need it.

  • 0 in reply to BLS

    Are you kidding me? You claimed SHA Version is the problem and it was clear since the beginning of this thread that this is nonsense! Now stop derailing this thread!

  • 0 in reply to Dreamcatcher

    What I said is that I've found that changing to SHA-1 on the XG improved the TCP performance with SSL VPN - and that's fixed it for now - not idea as it lowers the security - but for TCP traffic it fixes it.

    Food for thought.

  • 0 in reply to Dreamcatcher

    I'm unsubscribing from this thread because my inbox has been being spammed all day with a juvenile temper tantrum. It's abundantly clear to anyone who has suffered through this thread who the one person who can't think outside their own little sandbox is. If you're doing this work professionally, I would hope that you conduct yourself with the same thought and consideration here that you do with your IRL colleagues. I can't imagine anyone putting up with this in a professional setting.

  • 0 in reply to Prism

    To get back to  as he is one of the only person in this thread getting more Performance through the tunnel with a windows Client. 

    Could we get insight of this Windows Client? Which Version is windows running? How many interfaces (plus virtual) interface are running? 

    Still stuck my head in the differences between Unix and Windows in handling this Session, because Linux overall seems not have any issue with the configuration at all. 

    So it seems like something on Windows limits the download performance but not all Windows Clients. 

     

    Spend some time to regenerate the certificates used by XG with different algorithm. Because likely we moved forward in XG as the used algorithms. So the used certificates on UTM could differ from a XG installation in case of algorithm used. (In V18 you can use stuff like Elliptic curve).  

     

     

    Dumped this traffic but it looks like there are no Retransmissions or anything else, as indicators for performance degenerated factors. 

     

    So currently, if i recap this Thread: Nobody but  gets better throughput with Sophos Connect on Windows. Did somebody test other OS right now? Something like iOS/Android? 

    Config File can be exported and send via Email. Both platform have openVPN in their Appstores. 

  • 0 in reply to LuCar Toni

    Can we change the cryptographic settings and test again?

  • 0 in reply to LuCar Toni

    No issue at all ins't quite right. He said: "I've tried out on Linux machine with the latest version of OpenVPN, I've got 120Mbit/s over a single connection with TCP. (Still a lot slower than UDP.)"

  • 0 in reply to LuCar Toni

    Could we get insight of this Windows Client? Which Version is windows running? How many interfaces (plus virtual) interface are running? 

    This is from the laptop I've used to test it today.

    Windows 10 Home 2004

     

    Interfaces:

    Realtek 8168

    Qualcomm Atheros QCA3977

    Sophos TAP Adapter // Used by Sophos Connect 2.0

     

     

    I've regenerated the certificate with this Elliptic curve, and hash.

    And here's the crypto settings for the SSL VPN.

     

    Got the same results as before, TCP over the client that's available on the User Portal is stuck at 14-16Mbit/s while I can push 70-90Mbit/s on SC 2.0 EAP with TCP. (Sorry, this test has done before I managed to get home, did on bad wireless.)

     

    Still stuck my head in the differences between Unix and Windows in handling this Session, because Linux overall seems not have any issue with the configuration at all. 

    On Linux with the same setup with TCP and OpenVPN 2.4.9 I can push the same throughput than Sophos Connect 2.0 EAP with TCP.

    But still a lot slower than UDP, which on both situations (Linux or Sophos Connect 2.0 on Windows) can push 300Mbit/s over a single client and connection.  Which It's only limited by the CPU my XG is using, (and also AES-NI not being available on the Software Version.)

     

     

    Here's a TL;DR about throughput on my XG.

     

    Windows 10 2004 with SSL VPN TCP;

    OpenVPN Client from the User Portal = 14-16Mbit/s limit

    Sophos Connect 2.0 EAP (On Wired) = 120Mbit/s limit.

     

    Windows 10 2004 with SSL VPN UDP:

    Sophos Connect 2.0 EAP (On Wired) = 300Mbit/s, with peaks to 320Mbit/s.

     

    Linux Kernel 5.7.2 with OpenVPN 2.4.9 over TCP = 120Mbit/s (Same as Sophos Connect.)

    Linux Kernel 5.7.2 with OpenVPN 2.4.9 over UDP = 300Mbit/s, with peaks to 320Mbit/s. (Same as Sophos Connect.)

     

    The main issue here on the slow network comes from the OpenVPN client that is available on the User Portal, and at the same time on SC 2.0 and Linux It still 1/3 the throughput of UDP.

     

    EDIT: Sadly I can't do further testing since my ISP is dead right now.

    Thanks!

  • 0 in reply to Prism

    It's interesting that you get better results with Sophos Connect, since i'm getting exactly the same results as with the OpenVPN Client.

  • 0 in reply to Dreamcatcher

    So we would have to catch up on the 16 mbit/s difference to  120 mbit/s. 

    I found something, which could be the root cause, needs to be analysed for now.