Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 631 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Performance (IKEv2) - Bad with VDSL - Good with Fibre

juergenb52

Hello,

we use Microsoft Always On for all Mobile and Home Office Users.

These clients connect to their home routers and connect to a public IP of our XGS2100.
The Firewall uses a symetric Fibre connection (100MBit) from German Telekom.

XGS has forwarding rule to the internal RAS Server.

SSL/TLS is currently disabled, IPS is disabled for this firewall rule at console level.

We have different situations with/without any problems

Users with a Fibre (400/200) at Deutsche Glasfaser have no problems.
Users with a VDSL  (250/10) at German Telekom have no problems.
Users with a VDSL  (100/50) at German Telekom have no problems.

But only some have problems with a VDSL Connection at German Telekom?

They use a AVM FritzBox, LANCOM R884AV, Speedport Router and all share the same problem.
Performance for MS AlwaysOn is terrible slow, they have disconnects, and no connections during the day.

I tried to change the MTU at Client Side (1300-1400) that didn´t change anything.
I changed the MTU at Internet Side in LANCOM Router <-> VDSL to 1400 and a few minutes this was better.

But most of the settings didn´t work at all.

Is there anything i could verify/change at Firewall (XGS 18.5.4) level?

I tried some TCP Dumps at Client Side, it doesn´t matter if the client uses WiFi (Connected to XGS2100) or a VDSL Internet Connection.
TCP Dumps shows a lot of TCP Retransmissions in both connection.

 But WiFi Connection and performance is good.

Has anyone solved these VPN performance Settings at Firewall Level?

Thanks

Jürgen



This thread was automatically locked due to age.
  • 0

    Hello ,

    Thank you for reaching out to the community, can you please share the config of the VPN ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    <VPNProfile>
    <NativeProfile>
    <Servers>alwaysonvpn.company.de</Servers>
    <NativeProtocolType>IKEv2</NativeProtocolType>
    <Authentication>
    <MachineMethod>Certificate</MachineMethod>
    </Authentication>
    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
    </NativeProfile>
    <DomainNameInformation>
    <DomainName>.company.de</DomainName>
    <DnsServers>192.168.0.109,192.168.0.104</DnsServers>
    </DomainNameInformation>
    <DnsSuffix>company.de</DnsSuffix>
    <Route>
    <Address>192.168.0.0</Address>
    <PrefixSize>24</PrefixSize>
    </Route>
    <AlwaysOn>true</AlwaysOn>
    <DeviceTunnel>true</DeviceTunnel>
    <RegisterDNS>true</RegisterDNS>
    <TrustedNetworkDetection>company.de</TrustedNetworkDetection>
    </VPNProfile>

  • 0

    I am not sure, if this is really something, based on the Firewall? I would look into the RAS and Microsoft Support first. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I checked RAS and Hardware Router Support already.

    i checked other things...

    the connection to a SQL Server (SQL01) is terrible slow.
    the connection to a SQL Server (SQL02) is fast.

    Both Servers are on the same Hyper-V Host, one is a Windows 2008 (fast), the other a Windows 2016 (slow) VM.
    very strange 

  • 0 in reply to juergenb52

    Hi juergenb52

    Need more information like you connecting the user with IPSec VPN(remote access), SSL VPN(remote VPN), or site to site?

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to juergenb52

    Not sure, how the appliance should cause this. You could perform two tcpdumps on the appliance and check both dumps. Do not know, if the appliance is even involved in the post VPN traffic (RAS server to SQL). But i dont know, how to debug this. If you say, its not all servers in your network, this sounds specifically like a network issue. 

    __________________________________________________________________________________________________________________

Unfiltered HTML