Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1390 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Speed Up/Downlink Limitation

Francesco Vaccaro

Dear Sophos Community,

we have experienced the following at a customer:

Site A

XGS2100 Cluster SFOS 19.0.0 GA-Build317

Site B

XGS116 Cluster SFOS 19.0.0 GA-Build317

Connection via "point to point" glasfiber Provider Switch, Copper Uplink Module on Port 5 respectivly, 1Gbit/s symmetrical

IP Configuration

WAN Zone 172.31.255.0/24 (Site A has the IP .2; Site B has the IP .3, as Gateway we set the respective other appliance. Only Site A hast real WAN Uplink, Port 5 was put as backup manually on both appliances)

Site-to-site VPN, to make sure, that ISP cannot track the traffic between Sites, as it contains very sensitive Data

Connection Type Tunnel Interface (Phase 1

Site A having 10.10.10.1/30

Site B having 10.10.10.2/30

Routing via OSPF

Throughput of both Devices should be sufficiant (Both Phases with AES256 and SHA256 and DH14 group) Tunnel itself seems stable

Now the curious part: Site A to Site B seems to work fine, however, Site B to Site A the Uplink from Site B seems to be limited to 10MBit/s sharp; Search pointed me towards Traffic shaping settings, these where changed to maximum values, however, did not make any difference.

Question: Is there anything I am overlooking, shouldnt the appliance be able to use somewhat near 1GBit/s minus IPsec overhead and encryption/decryption-delays? Why is the Limitation asymmetric, does it have to do with the XGS116 Cluster?

IPS and other load-specific processes are not yet in use, no QoS is active. Provider Checked the Ports of his Switch, no limitations there.



This thread was automatically locked due to age.
Parents
  • 0

    Another thought that comes to my mind: You said you test the speed with a normal copy job of a large file, or?

    "Site B seems to belimited to 10MBit/s" is it realy Mbits or MBytes? Because if its 10 MBytes/s then your device on Site B where you start the test will sit probably behind a 100Mbit Switch, this will explain the "sharp 10 MB/s" - saw this often in projects...

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Thomas_XG

    Hi Thomas_XG,

    Thanks

    100% with you, its realy 10MBit/s; the peculiar thing is, that its just sending from Site B to Site A ... if there was a 100MBit Switch involved, traffic would be limited in both directions sending and transmitting. This on the otherhand is wrong.

    In my Test i used 2 Linux Mashines and 2 QNAPs and Downloaded a 3~5GB Backup File via https accross the sites. Downloading a File on Site B from Site A was done in a few seconds. Downloading a File on Site A from Site B took a very long time.

    You could even see that the bandwidth is filled up, as a ping check (both directions) was not influenced much when downloading from Site A, however, when downloading from Site B ping times went from 0.x~1ms towards 30ms

  • 0 in reply to Francesco Vaccaro

    So Linux-A is downloading vom QNAP-B and Linux-B from QNAP-A, or?

    Linux-B from QNAP-A is working fine. Linux-A from QNAP-B not.
    Can you try another client from Site-A to download form QNAP-B to check if the problem still occurs? I don't know if its a Linux VM or a physical Linux machine, if you can test both this would narrow it down a bit.

    What happens if you copy the same file which you downloaded for Linux-B to Linux-A?

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Thomas_XG

    Hi, exactly as you describe it.

    This was just to verify for me, that the problem still occurs.

    As i did not know of this problem, i migrated from the existing (properly working) site-connection towards the xgs Clustered IPsec Connection... in live real Traffic (windows Hardware Clients, to other Clients, Servers and printers etc) we had to find out, that the limitation of the bandwidth is the problem.

Reply
  • 0 in reply to Thomas_XG

    Hi, exactly as you describe it.

    This was just to verify for me, that the problem still occurs.

    As i did not know of this problem, i migrated from the existing (properly working) site-connection towards the xgs Clustered IPsec Connection... in live real Traffic (windows Hardware Clients, to other Clients, Servers and printers etc) we had to find out, that the limitation of the bandwidth is the problem.

Children
No Data
Unfiltered HTML