Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 466 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall high CPU utilisation with IPSec VPN

Szymon Sikorski

Hey,

We have a remove site with an XG firewall that simply provides remote SSL and internet access to the site. In order to reach our corporate network, we build 3 VPNs, one to each data center with it's own address space.

When the VPNs are active, the entire site experiences extreme slowness and the CPU reads from 60 - 80% utilisation. As soon as I disable the VPN tunnels the site is back to normal. I tried disabling one by one to see if it's just one of the tunnels but all 3 need to be disabled in order for the issue to go away. The site experiences 90% packet loss with the VPNs on.

The configuration is very simple. We have 1 local subnet for the site and a few remote subnets at the other end.  I tried the security rules with VPN as the destination zone but that didnt help. I also let the firewall generate automatic rules, same issue. The CPU continues to spike no matter how I write the access rules. Sometimes, it will also send traffic not over the VPN but over the internet link. It's almost like the firewall gets confused about routing and either drops traffic, loops it, or send its out the internet link.

We are running version XG230 (SFOS 18.5.2 MR-2-Build380). Could this be a bug or is my config wrong. I have another firewall like this on another site and it works perfectly fine with the same IPSec config.



This thread was automatically locked due to age.
Parents
  • 0

    Do the tunnels come up OK when they are enabled (both active and connection turn green)?

    Firewall rules shouldn't cause the utilisation and packet loss issue you are seeing. Even if they are completely wrong or absent, the traffic will just get blocked. I would ignore the firewall rules until you can establish a tunnel without the issues you are seeing.

    I would start by looking for an IP overlap. Does each data centre have a unique range of IPs? I notice in the 'general settings' you posted you have a quite a few big remote subnets. Those should be the subnets for just that one tunnel, i.e. the subnets for just that one data centre. You say the XG "provides remote SSL". Do you mean it also does Remote Access VPN as well as site to site? If so, is the IP range used for that unique?

    I would also simplify your problem by deleting (not just disabling) two of the tunnels and seeing if you can get one working first.

Reply
  • 0

    Do the tunnels come up OK when they are enabled (both active and connection turn green)?

    Firewall rules shouldn't cause the utilisation and packet loss issue you are seeing. Even if they are completely wrong or absent, the traffic will just get blocked. I would ignore the firewall rules until you can establish a tunnel without the issues you are seeing.

    I would start by looking for an IP overlap. Does each data centre have a unique range of IPs? I notice in the 'general settings' you posted you have a quite a few big remote subnets. Those should be the subnets for just that one tunnel, i.e. the subnets for just that one data centre. You say the XG "provides remote SSL". Do you mean it also does Remote Access VPN as well as site to site? If so, is the IP range used for that unique?

    I would also simplify your problem by deleting (not just disabling) two of the tunnels and seeing if you can get one working first.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?