Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 94 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 11399 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 MR3 DPI slow download

Strandundmeer

Hi all,

after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly.

I am on a SG 230 hardware where the XG 18 MR3 is installed on.

Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection.

switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection.

switching back and forth between proxy and dpi I can always reproduce this.

this happens only to HTTPS sessions with DPI turned on.

The load on the FW is never higher than 20% while testing.

Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined...

I tried different DPI policies and nothing changed the behavior.

Thanks for your help

best



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Strandundmeer

    You are correct if yo u are downloading one file, but a normal website will have many lookups and XG will need to check each URL etc.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    websurfen is not an issue for me, it is only the file downloads...

  • 0 in reply to Strandundmeer

    We have similar issues with DPI.

    Downloads run with 2.0-2.5mbits (DualWAN = 1Gbit / 50mbit and 100mbit / 40mbit) with large downloads the download breaks off completely (0kbits in the browser) and the loading of some websites is very slow or not possible at all. Our settings are similar to those described here. If the DPI is deactivated and the web proxy is used, everything runs normally. When the problem really occurs, I can't say anymore. I suspected MR3 currently we are using MR4

  • 0 in reply to Dome

    Hi fols,

    my feelings, but I can't prove it, is that the connection times out but nothing is logged making debugging very difficult.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    We also don't get any error messages from Sophos. But it's definitely up to the HTTPS inspection. There are no problems with HTTP pages. Not even with all HTTPS sites.

  • 0 in reply to Dome

    My issues started with MR4 fwiw

  • 0 in reply to hillbillyIT

    Same here,

    XG125 fresh install with v18 MR4.

    Download with ips + dpi enabled/running 2.5MB/s

    Download with stopped dpi + ips service 15MB/s

    Running on an 1GBit / 50 MBit Cable line

    Direct download via Cable Modem from same site 80 MB/s

  • 0 in reply to rfcat_vk

    For me it is always the same story; I usually enable it following an MR release which promises DPI engine bug fixes and tweaks, then I wait for the calls and e-mails telling me the internet is acting strange or websites don't work.  It usually takes about 12 hours before the problems begin to manifest themselves, and its usually one of two things; either a site won't load (or a particular page within a site won't load), or downloads just don't work, it will download a little bit of a file and then just stop.  Of course the wonderful XG logs all report no problems at all with decryption, nothing being blocked, etc., but the moment you switch the firewall rule back to web proxy, all these mysterious problems vanish.  So there is something wrong with the DPI engine at least in my setup (and its fairly vanilla) and the logging is just too poor to capture it or display anything useful to the administrator as to what is happening or why.  

    The only indication of something wrong I ever get in the logs is mounting numbers of "FLOW_TIMEOUT[5] errors.  To my knowledge Sophos has never publically disclosed what this error actually means and honestly I see these errors on sites that aren't having problems and don't see them on sites that do, so I am unsure if it is just a red herring.

    This is a very unscientific statement but based on my observations of the problems I have it almost seems to me like the connections get hung or stuck and it results in sites never loading, downloads never downloading, etc.  When I first enable DPI it works and then slowly over the next hours it becomes worse and worse to where it becomes noticeable to the average user out there.

    Its a real shame because I want to use it, on paper it sounds wonderful.

  • 0 in reply to Bill Roland

    Did you every test if this also accours if you have Linux are MacOSX Clients?

    For me the issues are there just for my windows machines.

    BTW. This also happens if I start a virtual Linux machine on my Windows 10 Desktop. But starting Linux native on the same system with DPI enable there are no issues.

    I went through the pcaps with Wireshark for hours without finding the issue :-(

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?