Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1389 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Speed Up/Downlink Limitation

Francesco Vaccaro

Dear Sophos Community,

we have experienced the following at a customer:

Site A

XGS2100 Cluster SFOS 19.0.0 GA-Build317

Site B

XGS116 Cluster SFOS 19.0.0 GA-Build317

Connection via "point to point" glasfiber Provider Switch, Copper Uplink Module on Port 5 respectivly, 1Gbit/s symmetrical

IP Configuration

WAN Zone 172.31.255.0/24 (Site A has the IP .2; Site B has the IP .3, as Gateway we set the respective other appliance. Only Site A hast real WAN Uplink, Port 5 was put as backup manually on both appliances)

Site-to-site VPN, to make sure, that ISP cannot track the traffic between Sites, as it contains very sensitive Data

Connection Type Tunnel Interface (Phase 1

Site A having 10.10.10.1/30

Site B having 10.10.10.2/30

Routing via OSPF

Throughput of both Devices should be sufficiant (Both Phases with AES256 and SHA256 and DH14 group) Tunnel itself seems stable

Now the curious part: Site A to Site B seems to work fine, however, Site B to Site A the Uplink from Site B seems to be limited to 10MBit/s sharp; Search pointed me towards Traffic shaping settings, these where changed to maximum values, however, did not make any difference.

Question: Is there anything I am overlooking, shouldnt the appliance be able to use somewhat near 1GBit/s minus IPsec overhead and encryption/decryption-delays? Why is the Limitation asymmetric, does it have to do with the XGS116 Cluster?

IPS and other load-specific processes are not yet in use, no QoS is active. Provider Checked the Ports of his Switch, no limitations there.



This thread was automatically locked due to age.
  • 0

    Such a big difference (>10:1) mostly is the result from duplex mismatch.

    Please check if somewhere a port has a fixed speed setting and not "autonegotation"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi dirkkotte,

    thanks for your reply, sadly we allready checked that, its all full duplex 1000MBit/s via autonegotiation.

    The curious part is, that its one wire, one port, and downstream on Site B seems to work fine, just limitation in Upstream on Site B

  • 0 in reply to Francesco Vaccaro

    Hey ,

    Under the ssh menu > press 4 for the device console and execute the following command:
    console> system diagnostics utilities bandwidth-monitor
    then after press 'u' twice, you'll be able to see the errors/sec results on the interface, see if there is any.
    If there are no errors, then go back to the ssh menu > press 5 for the device management > press 3 for the advance shell 
    and execute the following command: 
    #ifconfig Port<no>
    see if there are any drops increasing on RX or TX or do you any errors increasing ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek Jagad,

    thanks for your Reply.

    (sadly)

    console> system diagnostics utilities bandwidth-monitor

    did not show me any errors on both appliances.

    The result for

    #ifconfig Port5

    did not give me any Errors as well, I must say, I am a bit confused, as the interfaces seem to have IPv6 Addresses, even though they are not configured.

    I redid both checks while pushing "a large file" through the tunnel, on the console after a while i could see that the bandwidth stops growing after around 10MBit/s, yet no Errors on both appliances agein

    these are the results from shell:

    XGS116_XN01_SFOS 19.0.0 GA-Build317# ifconfig Port5
    Port5 Link encap:Ethernet HWaddr 7C:5A:1C:98:4E:EC
    inet addr:172.31.255.3 Bcast:172.31.255.255 Mask:255.255.255.0
    inet6 addr: fe80::7e5a:1cff:fe98:4eec/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:14291419 errors:0 dropped:0 overruns:0 frame:0
    TX packets:9276657 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:12535394726 (11.6 GiB) TX bytes:2815514594 (2.6 GiB)

    XGS2100_RL01_SFOS 19.0.0 GA-Build317# ifconfig Port5
    Port5 Link encap:Ethernet HWaddr C8:4F:86:FC:00:05
    inet addr:172.31.255.2 Bcast:172.31.255.255 Mask:255.255.255.0
    inet6 addr: fe80::ca4f:86ff:fefc:5/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:308329195 errors:0 dropped:0 overruns:0 frame:0
    TX packets:267972165 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:222888683243 (207.5 GiB) TX bytes:206170907576 (192.0 GiB)

    Thanks for your help

    Edit:

    Just for verification purposes, I pushed "a large file" the other direction ... it was so fast ... i couldn't even start the logging ... Browser Download showed something above 60MB/s just before it finished the download...

  • 0 in reply to Francesco Vaccaro

    Interesting, we do not see any drops, drops or overruns either !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Maybe your problem lies in ipsec-acceleration:

    Site-to-Site IPsec Tunnel, Poor Performance - Discussions - Sophos Firewall - Sophos Community

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi,

    I just realised, i watched for Port5 instead of xfrm1 ... for completeness, port statistics for the correct interface

    here i find many droped packets. number not increasing while i download "the big file" (this might have other backgrounds, like testing or incorrect traffic when i restored an old backup on Site B

    XGS116_XN01_SFOS 19.0.0 GA-Build317# ifconfig xfrm1
    xfrm1 Link encap:UNSPEC HWaddr 7C-5A-1C-98-4E-EC-00-E5-00-00-00-00-00-00-00-00
    inet addr:10.10.10.2 Bcast:0.0.0.0 Mask:255.255.255.252
    inet6 addr: fe80::c82d:9183:20b9:ee4b/64 Scope:Link
    UP BROADCAST RUNNING NOARP MULTICAST MTU:1400 Metric:1
    RX packets:16368335 errors:0 dropped:0 overruns:0 frame:0
    TX packets:12168182 errors:0 dropped:2 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:9993113044 (9.3 GiB) TX bytes:3233759264 (3.0 GiB)

    XGS2100_RL01_SFOS 19.0.0 GA-Build317# ifconfig xfrm1
    xfrm1 Link encap:UNSPEC HWaddr 7C-5A-1C-BD-CF-A0-00-67-00-00-00-00-00-00-00-00
    inet addr:10.10.10.1 Bcast:0.0.0.0 Mask:255.255.255.252
    inet6 addr: fe80::b93c:dc90:1afe:e7a9/64 Scope:Link
    UP BROADCAST RUNNING NOARP MULTICAST MTU:1400 Metric:1
    RX packets:234694318 errors:0 dropped:1 overruns:0 frame:0
    TX packets:187295759 errors:0 dropped:91060 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:138134404961 (128.6 GiB) TX bytes:123465656145 (114.9 GiB)

    Errors on XGS2100 in Transmission, this would not actually fit the problem, since the Download on XGS2100 (Site A) is limited (or the Upload on XGS116 (Site B) )

  • 0 in reply to Thomas_XG

    Hi Thomas_XG,

    Thanks for your reply, will look into it, however, i just tried (because I had a similar idea) to route specific traffic of 2 devices over the "WAN" distance (as it is point to point) so without the ipsec tunnel, same results

    I looked up the entry and tried it with disabled firewall acceleration and disabled ipsec acceleration ... same results as well =/

  • 0 in reply to Francesco Vaccaro

    have you tried creating a new IPsec profile with comparatively lower encryption !!

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi,

    changed Profile to

    ikeV1 DH Group 1 AES125 MD5 no pfs

    not working, same results =(

    Thanks for the idea though

Unfiltered HTML