Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 94 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 12549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 18 MR3 DPI slow download

Strandundmeer

Hi all,

after going from decrypting HTTPS traffic by proxy to the dpi engine my download performance dropped massivly.

I am on a SG 230 hardware where the XG 18 MR3 is installed on.

Taking the same side downloading an ISO file via HTTPS with proxy and SSL decryption a get 100mbit/s troughput which is the max of my internet connection.

switching to DPI I get arround 16mbit/s. If a start a second, third download an so on I can max out my internet connection.

switching back and forth between proxy and dpi I can always reproduce this.

this happens only to HTTPS sessions with DPI turned on.

The load on the FW is never higher than 20% while testing.

Could there be an issue that DPI is somehow limiing the throughput within a session? No QoS is defined...

I tried different DPI policies and nothing changed the behavior.

Thanks for your help

best



This thread was automatically locked due to age.

Top Replies

  • +5 suggested

    Thanks to everyone who has provided data points and feedback here.

    We have identified a couple of areas where DPI mode was preventing traffic running as fast as it otherwise would, due to issues with the TCP receive window. This problem is less obvious on low-latency, local network connections, but can get quite significant as network latency increases.

    The problem is not caused by overloading of the firewall, but by the server not sending data quickly enough on a given connection. This is why many of you observed that parallel connections would all max out at the same level and increase the overall bandwidth consumption, even though the throughput seemed to be limited on each connection individually.

    The reason the server doesn't send data quickly enough is that there are issues with the way the firewall is calculating the TCP receive window size that it advertises to the server in packet headers. The TCP receive window value tells the server how much data it should send before pausing to wait for confirmation that the data arrived safely. If that value is too small, the server will spend a lot of time waiting for confirmation and the overall flow of data will be slow. The time spent waiting increases with connection latency, so overall flow seems even lower on longer-distance connections.

    We are working on a fix for this problem and are making plans to release it in an upcoming maintenance release. It will be included in 18.0 MR6. It is also addressed in the 18.5 GA version, for early adopters of XGS-series hardware.

    Jump to answer
Parents
  • 0

    In the FWIW category, I ran some speediest.org tests on my home network which has Spectrum 'Gigabit Internet’ with an advertised speed of 1000/40 Mbps::


       SFOS V17.5 MR-15 iPhone 11 Pro Max connected via 802.11ax access point then to XG 106:  650/40 Mbps

       SFOS V18.0.4 MR-4 iPhone 11 Pro Max connected via 802.11ax access point then to XG 106:  314/40 Mbps

       SFOS V18.0.4 MR-4 MacBook Pro Big Sur connected via ethernet direct to Spectrum modem:  940/40Mbps.

       SFOS V18.0.4 MR-4 MacBook Pro Big Sur connected via ethernet direct to XG 106:  200/40 Mbps.
    My 1000/40 Mbps internet connection drops to 200 Mbps (21%) when going ethernet through the XG 106 and my iPhone drops from 650 Mbps to 315 Mbps (48%).  I’m guessing the speed drop on the iPhone is less than the MacBook Pro via ethernet because the MacBook Pro has Intercept X Big Sur EAP on it.
  • 0 in reply to Brian1941

    But once streaming starts intercept X should ignore the stream not interfere with it?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply Children