Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 100 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 49848 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor SSL VPN performance when using TCP

Dreamcatcher

Hello folks,

 

i am pretty disappointed with the SSL VPN performance on TCP connections. When using TCP i only get ~16 Mbit/s when copying files over SMB. With UDP the performance is much better and i get the full 50 MBit/s. This is not acceptable at all, since i always got the full performance with UTM on even slower hardware and i need to use TCP on some sites. I've tested this on multiple appliances with our customers (XG210, XG125, XG115 etc.) and it's always the same: TCP performance on SSL VPN is plain bad and there is no heavy load on the CPUs involved.

 

Is this a bug, or is the TCP SSL VPN performance really that bad compared to UTM?



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Hi,

    i was linked to this thread.

    I have several users with Windows 10 / 1909 and they use direct Access (HTTPS) to internal servers (no problem).

    I formy self use Sophos VPN Client to connect to a XG 17.5.MR12 and i dont´have any perf. problems (not realy).

    But

    I have one user in Phoenix USA with high WAN latency (about 200ms average) with a performance drop to 355kbit/s.
    He uses a Cable Modem with about 60-100MBit.

    It doesn´t matter if he uses Sophos VPN or Microsoft Direct Access (always slow with 355kbit/s).
    This is slow with SMB File Access.

    The server are located in germany.

    is there any change that the WAN latency could be a problem with TCP / UDP? 

  • 0 in reply to juergenb52

     

    atop:

    NET | tun0 1578% | pcki 29337 | pcko 57619 | sp 10 Mbps | si 2428 Kbps | so 157 Mbps | | coll 0 | mlti 0 | erri 0 | erro 0 | drpi 0 | drpo 0

     

    Looks better to me.

     

    Could you please try following:

    Within the config file: 

    resolv-retry infinite
    nobind
    sndbuf 0
    rcvbuf 0
    persist-key

     

     

    If this does not help after reimporting the config file, there is a second change needed on XG. I just want to know, if this Client config change helps or not. 

    This is currently under investigation. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I added the two parameters to my config file. Unfortunately it makes no difference at all, tried with the OpenVPN Client and the Sophos Connect 2.0 Client.

    Edit:

    I tested this now with android. I tested UDP, TCP and TCP edited with the parameters you mentioned. The results are roughly the same as with Windows:
    TCP: 8-10 Mbit/s
    UDP: 35-45 Mbit/s

  • 0 in reply to LuCar Toni

    hi  

    Tried with your 2 params and no difference at all, exacly 16Mbit/s using TCP.

    (windows 10 / openssl / XGvirutal v18 MR1 hosted on gigabit link)

  • 0 in reply to guillaume bottollier

    Thanks for the feedback.
    Please give Sophos some time to review the test scenario and the different perspectives. 

    As far as i know, Sophos has a RootCause of this issue and will look into fixing this in a upcoming release. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I've just compared the OpenVPN Client logs from UTM and XG. Those are the differences i've found.

    Why is XG only using TSL v1 while UTM is using TLS v1.2?

  • 0 in reply to LuCar Toni

    Where do i find these config file on the Windows 10 client PC?

    I had a second user today (in Dortmund/Germany).
    He uses WLAN and MS Direct access.

    Due to latency his SMB downloads is about 355-800kbit/s.

    I don´t think that this something that a VPN client could fix.

    I read some threads about mtu size and tcp autoscaling with MS DA Servers on Hyper-V ...

  • 0 in reply to juergenb52

    I'd suggest you open your own thread, since this has nothing to do with this topic.

  • 0 in reply to Dreamcatcher

    Thas right,

    but even with Sopos VPN Client the error is the same.

    I had a own thread and was directed here.

  • 0 in reply to juergenb52

    Hi,

    I redirected you because your original post was about a VPN user, now you have changed to being W10 users in your office.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner