Poor IPSec VPN Throughput in One Direction

Hi,

please heck you ips settings in the gui. What version of XG are you running?

ian

I am currently running 18.5.2 MR2.  I just upgraded them a couple of days ago from the previous version to see if it would help with the performance issue.

This is what I have in the IPS Policies section:

However, the firewall rules in use for traffic across the VPN on these subnets only have logging enabled.  There is not an IPS policy applied to the firewall rule.

You misunderstood me. Please review the gui -> ips spot see if it is enabled and blocking traffic?

ian

I'm sorry.  I am not sure where it is that you are referring to.  Can you please clarify?

Thank you.

Xg control panel lefthand side there is an IPS tab.

Ian

Are you referring to this page?

Yes.

Hi Matthew,

what kind of OS are you using to measure throughput on both sides? I have seen some weird behaviour with windows clients and Sophos IPSec connections (policy mode).

In order to find what is going on I'd use wireshark on both sides and wee what happens ...

Also usually you don't get the whole bandwidth with one connection but I guess iperf uses udp ...

(Check both sides (rules, IPSEC configuration, IDS, .... of the tunnel)).

Maybe deleting and reconfiguration helps ...

Regards,
Bernd

I had a Ubuntu system on one side and a Mac on another.  I was testing the throughput with iPerf, but I have also noticed in other just general usage of the network that there are throughout issues with traffic going in the one direction.

I will try Wireshark when I am physically with the equipment again to test it.

I don't necessarily expect to get the full 1Gbps throughput that both sides have, but was not expecting to see 200-300 Mbps one direction and 3 Mbps the other.

I will keep looking through the firewall rules to see if I can find anything.  The odd part is these rules have not been changed since it was configured and are currently pretty basic doing logging only with no Application controls or IPS.

Looking at Wireshark on both sides, with transfers in each direction, I am not seeing a whole lot different.  There are some TCP

 Window Full, TCP Dup ACK, and TCP Out of Order in the packet capture, but that happens in captures in both directions.

I looked through the firewall logs and there is only one rule for each direction that is hit with this traffic and it is a log only allow rule.  There is no App Control, IDS/IPS, etc.  IPSec config is identical on either side as well.

The weird part is that this used to work fine and suddenly stopped.  I am getting between 2-18 Mbps in one direction and 92-108 Mbps in the other today even though both sides have symmetrical gigabit internet.  I do not expect to get the full gigabit, but it is odd that one direction of traffic is so much lower than the other.