Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1379 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC vpn slowness in one direction between sites using XG Firewall at each.

Doc D
Site A: 300mbps up/down
Site B: 1gbps up/down
Both are Sophos XG Firewalls and are connected over WAN using an IPSEC VPN Tunnel
Observations:
Site A to Site B file transfer
utilization of about 250mbps (Great! the tunnel is clearly using most of the bandwidth from the slowest site)
Site B to Site A file transfer
SLOW transfers of at most around 30mbps
I can check WAN saturation on each side and not seeing any indication there is saturation happening.
Site A and Site B can both get to the internet and speed tests indicate everything is working at the ISP speed we pay for.
Has anyone else seen this happening or can give some insight on some things I can test or look for to help remedy this slowness? Thanks!
 


This thread was automatically locked due to age.
Parents
  • 0

    Thank you for the response, there are no special restriction policies other than some basic who can go where rules. QOS is not enabled. I've ran the iftop command to see that in the problem direction, I've peaked at 5.3Mb while transferring, WAN traffic also reflects this only being slightly higher from (out the door traffic) . Since creating this post, I've been researching this problem as well. I do remember seeing a lot of packet fragmentation and retransmissions in the slow direction in the past (late 2019) I will re-examine this now with more clarity. Do you suppose this could be MTU related? The idea being like NestingDolls, small packets from site A can flow to  B easily but possibly site B flowing to site A might not fit and have to be retransmitted smaller? Not sure how to test this over the VPN but this is something I'd like to also examine. Thoughts?

  • FormerMember
    0 FormerMember in reply to Doc D

    Do you see any drops on the LAN interface or on the virtual ipsec0 interface?

    # ifconfig ipsec0

    # ifconfig PortA

    Can you check, Dos is enabled or not(Intrusion prevention > DoS attacks)?

    To check whether there is any retransmission present or not, you may either take a pcap file on Sophos Firewall or directly on the source machine.

    Click here to know more information on "How to capture packets and download the Packet Capture".

Reply
  • FormerMember
    0 FormerMember in reply to Doc D

    Do you see any drops on the LAN interface or on the virtual ipsec0 interface?

    # ifconfig ipsec0

    # ifconfig PortA

    Can you check, Dos is enabled or not(Intrusion prevention > DoS attacks)?

    To check whether there is any retransmission present or not, you may either take a pcap file on Sophos Firewall or directly on the source machine.

    Click here to know more information on "How to capture packets and download the Packet Capture".

Children
  • 0 in reply to FormerMember

    Thanks. Ok, really interesting, I have packet captures in both directions during the file transfer. When sending the file from B to A (the slow direction) in wire shark it appears that Site B is trying to push over packets that are very large up to 22000 in length with the flag "Do not Fragment" set to 1. when sending A to B these packets never go over 1360 or so but never reach the MTU (which is expected). You can see on the A side capture it is displaying many [TCP Out-Of-Order] and [TCP Retransmission] packets when receiving the file... I wonder what is setting the flag "Do not Fragment" to 1 ?


  • FormerMember
    0 FormerMember in reply to Doc D

    DF flag is mostly set by the application/web server, or maybe an intermediate device. Is there any router or L3 switch placed at site B? 

    Also, could you please share the capture file along with the details(source/destination IP) here or via PM?