Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 1419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Poor IPSec VPN Throughput in One Direction

Matthew Zacune

I have a site to site IPSec VPN tunnel between two Sophos XG firewalls.  They had been fine, but recently throughput has become an issue.

Both sides have symmetrical 1Gb circuits.  When testing with iPerf I am getting 250 Mb/s in one direction, but less than 3 Mb/s in the other direction.  I am not sure what has changed to cause this performance issue.

Neither firewall shows any significant CPU load or other significant activity.  The firewall rule is currently set to Log only between the two subnets.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Matthew,

    what kind of OS are you using to measure throughput on both sides? I have seen some weird behaviour with windows clients and Sophos IPSec connections (policy mode).

    In order to find what is going on I'd use wireshark on both sides and wee what happens ...

    Also usually you don't get the whole bandwidth with one connection but I guess iperf uses udp ...

    (Check both sides (rules, IPSEC configuration, IDS, .... of the tunnel)).

    Maybe deleting and reconfiguration helps ...

    Regards,
    Bernd

  • 0 in reply to BerndFeist

    I had a Ubuntu system on one side and a Mac on another.  I was testing the throughput with iPerf, but I have also noticed in other just general usage of the network that there are throughout issues with traffic going in the one direction.

    I will try Wireshark when I am physically with the equipment again to test it.

    I don't necessarily expect to get the full 1Gbps throughput that both sides have, but was not expecting to see 200-300 Mbps one direction and 3 Mbps the other.

    I will keep looking through the firewall rules to see if I can find anything.  The odd part is these rules have not been changed since it was configured and are currently pretty basic doing logging only with no Application controls or IPS.

Reply
  • 0 in reply to BerndFeist

    I had a Ubuntu system on one side and a Mac on another.  I was testing the throughput with iPerf, but I have also noticed in other just general usage of the network that there are throughout issues with traffic going in the one direction.

    I will try Wireshark when I am physically with the equipment again to test it.

    I don't necessarily expect to get the full 1Gbps throughput that both sides have, but was not expecting to see 200-300 Mbps one direction and 3 Mbps the other.

    I will keep looking through the firewall rules to see if I can find anything.  The odd part is these rules have not been changed since it was configured and are currently pretty basic doing logging only with no Application controls or IPS.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?