Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 1419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor IPSec VPN Throughput in One Direction

Matthew Zacune

I have a site to site IPSec VPN tunnel between two Sophos XG firewalls.  They had been fine, but recently throughput has become an issue.

Both sides have symmetrical 1Gb circuits.  When testing with iPerf I am getting 250 Mb/s in one direction, but less than 3 Mb/s in the other direction.  I am not sure what has changed to cause this performance issue.

Neither firewall shows any significant CPU load or other significant activity.  The firewall rule is currently set to Log only between the two subnets.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Matthew,

    what kind of OS are you using to measure throughput on both sides? I have seen some weird behaviour with windows clients and Sophos IPSec connections (policy mode).

    In order to find what is going on I'd use wireshark on both sides and wee what happens ...

    Also usually you don't get the whole bandwidth with one connection but I guess iperf uses udp ...

    (Check both sides (rules, IPSEC configuration, IDS, .... of the tunnel)).

    Maybe deleting and reconfiguration helps ...

    Regards,
    Bernd

Reply
  • 0

    Hi Matthew,

    what kind of OS are you using to measure throughput on both sides? I have seen some weird behaviour with windows clients and Sophos IPSec connections (policy mode).

    In order to find what is going on I'd use wireshark on both sides and wee what happens ...

    Also usually you don't get the whole bandwidth with one connection but I guess iperf uses udp ...

    (Check both sides (rules, IPSEC configuration, IDS, .... of the tunnel)).

    Maybe deleting and reconfiguration helps ...

    Regards,
    Bernd

Children
  • 0 in reply to BerndFeist

    I had a Ubuntu system on one side and a Mac on another.  I was testing the throughput with iPerf, but I have also noticed in other just general usage of the network that there are throughout issues with traffic going in the one direction.

    I will try Wireshark when I am physically with the equipment again to test it.

    I don't necessarily expect to get the full 1Gbps throughput that both sides have, but was not expecting to see 200-300 Mbps one direction and 3 Mbps the other.

    I will keep looking through the firewall rules to see if I can find anything.  The odd part is these rules have not been changed since it was configured and are currently pretty basic doing logging only with no Application controls or IPS.

  • 0 in reply to BerndFeist

    Looking at Wireshark on both sides, with transfers in each direction, I am not seeing a whole lot different.  There are some TCP

     Window Full, TCP Dup ACK, and TCP Out of Order in the packet capture, but that happens in captures in both directions.

    I looked through the firewall logs and there is only one rule for each direction that is hit with this traffic and it is a log only allow rule.  There is no App Control, IDS/IPS, etc.  IPSec config is identical on either side as well.

    The weird part is that this used to work fine and suddenly stopped.  I am getting between 2-18 Mbps in one direction and 92-108 Mbps in the other today even though both sides have symmetrical gigabit internet.  I do not expect to get the full gigabit, but it is odd that one direction of traffic is so much lower than the other.

  • 0 in reply to Matthew Zacune

    Hi Matthew,

    why do you have two rules, you only need one firewall rule, please try disabling one and then run the tests again.

    Ian 

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    It is one for each direction.  One for the outbound traffic and one for the inbound on each side.

  • 0 in reply to Matthew Zacune

    Hi,

     what do you mean by traffic in each direction? Incoming and outgoing from your connection is all handled by one rule. 

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    For outbound traffic originating from location A, the rule is Source Zone: LAN, Any networks. Destination zone VPN, Destination Networks: Subnet at Location B

    For traffic initiating on the other side of the tunnel. Source Zone: VPN, Source Network: Subnet at Location B, Destination Zone: LAN, Any networks.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?