Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 25328 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Horrible Website Loading Speeds with Content Filtering / IPS enabled

ChrisWestmacott

Hi everyone,

I'm posting here as a last-ditch effort before I return my Sophos XG products for a refund and go with Meraki or Sonicwalls.

Over the last week or so, I have been receiving complaints from my client stating that their internet speeds are painfully slow. I ran a speedtest from speedtest.net and they were getting 100 down / 10 Up, so it's not an issue with download speeds. I verified the issue is it can take 6-10 seconds to load a website. Websites that are especially graphics-heavy or secure, such as banking websites, seem to take the longest. (HTTPS scanning and HTTP scanning are disabled)

I spent some time troubleshooting the problem and determined that the problem goes away when I turn off "Default Workplace Policy" and "LAN to WAN" IPS policy. BOTH of these are combining to cause the slow speeds. For example, if I only turn on Default Workplace Policy (and leave IPS off) what it will do is take 3-5 seconds to load all of the content on each website. I.E. it will load the content in small chunks, such as images etc. An interesting thing to note is even when "Allow All" is selected, it still takes this long. I have to select "none" for the speeds to improve.

When I turn OFF "Default Workplace Policy" and turn on only the IPS, then it takes 3-5 seconds to start loading the website. It will be stuck at "Establishing Secure Connection" or "Resolving Host" for that period of time then it will load the page quickly after the initial 3-5 second waiting period. If I turn both off, the page loads in 0.5 seconds.

I understand there are tweaks I can do to improve the IPS speeds but there seems to be nothing I can do about the content filtering... except turn it off.

Before I return these Sophos products, I wanted to reach out to the community to see if there was anything I can do.

Note, this happens on both my Sophos XG125 (serving 12 users), and Sophos XG105 (serving 3 users). The CPU on both is usually around 10% and memory around 50%. The only option is to turn IPS and content filtering off.... which is a horrible solution.  This Sophos product has caused me nothing but problems since I bought it.

Thanks,

Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chris, 

    Please follow:

    Step 1: Verify DoS Settings

    One major reason for slow browsing is an ongoing DoS or DDoS attack. It may be possible that DoS settings are not enabled in XG, hence attack was not detected, or the settings are inappropriate. Navigate through System> System services > DoS and Spoof prevention.

    Step 2: Check DNS Configuration

    The following may be the reasons for slow browsing:

    Case 1

    An Internal DNS server is configured for LAN users and all DNS requests are directed to it. Issues with the Internal DNS Server or the External DNS Server, to which it forwards requests, may result in overall slow browsing.

    Resolution: To resolve this issue, contact appropriate administrators or Server vendors.

    Case 2

    Multiple ISP Links are terminated on XG and user systems are configured with a particular ISP’s DNS. In this case, the outgoing DNS traffic gets load balanced. Hence,Two(2) possibilities occur:

    - If a DNS request travels through the ISP Link whose DNS is configured in user’s system, the request is resolved and turnaround time is good.
    - If a DNS request travels through another ISP Link, the request is dropped because the DNS configured in user’s system does not match ISP’s DNS.

    This results in only partial DNS requests in the network to be resolved, which ultimately leads to slow browsing.

    Resolution: Configure a Static Route in XG that forwards all DNS Traffic to the ISP Link whose DNS is configured in user’s systems. 

    Step 3: Check for Packet Loss within the Network

    Loss of packets during transmission between network nodes may result in reduced browsing speeds.

    Resolution: To check for Packet Loss, follow instructions given below.

    Take SSH to XG and go to option 4. Type console> show network interfaces

    Check if you discover any drop and error packets on the interfaces.

    Finally, if you still face slow browsing, check what is the bandwidth utilization on XG and if any QoS is applied to control the web traffic. 

    Hope that helps:)

Reply
  • 0

    Hi Chris, 

    Please follow:

    Step 1: Verify DoS Settings

    One major reason for slow browsing is an ongoing DoS or DDoS attack. It may be possible that DoS settings are not enabled in XG, hence attack was not detected, or the settings are inappropriate. Navigate through System> System services > DoS and Spoof prevention.

    Step 2: Check DNS Configuration

    The following may be the reasons for slow browsing:

    Case 1

    An Internal DNS server is configured for LAN users and all DNS requests are directed to it. Issues with the Internal DNS Server or the External DNS Server, to which it forwards requests, may result in overall slow browsing.

    Resolution: To resolve this issue, contact appropriate administrators or Server vendors.

    Case 2

    Multiple ISP Links are terminated on XG and user systems are configured with a particular ISP’s DNS. In this case, the outgoing DNS traffic gets load balanced. Hence,Two(2) possibilities occur:

    - If a DNS request travels through the ISP Link whose DNS is configured in user’s system, the request is resolved and turnaround time is good.
    - If a DNS request travels through another ISP Link, the request is dropped because the DNS configured in user’s system does not match ISP’s DNS.

    This results in only partial DNS requests in the network to be resolved, which ultimately leads to slow browsing.

    Resolution: Configure a Static Route in XG that forwards all DNS Traffic to the ISP Link whose DNS is configured in user’s systems. 

    Step 3: Check for Packet Loss within the Network

    Loss of packets during transmission between network nodes may result in reduced browsing speeds.

    Resolution: To check for Packet Loss, follow instructions given below.

    Take SSH to XG and go to option 4. Type console> show network interfaces

    Check if you discover any drop and error packets on the interfaces.

    Finally, if you still face slow browsing, check what is the bandwidth utilization on XG and if any QoS is applied to control the web traffic. 

    Hope that helps:)

Children
  • 0 in reply to sachingurung

    Hi,

    I am sorry but Chris DNS is "Workstations use the XG125 as their DNS server, however I have also set it to 8.8.8.8 (Google) to no avail." 

    and i feel confused with your DNS case 1 and case 2 suggestions...

    I dont believe DOS protection will be the case, as its disabled by default.

    Packet Loss ? He said removing IPS solves his issues and enabling it back on breaks his www surfing.

    Chris i had a lot of issues with the IPS, and most of them I solved just by moving the rules/ changing their places back and forwd... but before that check your IPS rules and inside Diagnostics -> IPS -> you should be able to see if thats the root of your problem ?

  • 0 in reply to BonMerd

    Hi,

    I missed Chris's later post. I replied to his initial question. But, I will still wait for him to reply.

    Thanks

  • 0 in reply to sachingurung

    Hi everyone,

    I resolved the issue; thank you for your suggestions. The problem was under Network -> DNS, the primary DNS for the Sophos XG was its' internal LAN IP (10.0.0.1). I did a DNS test from the XG and response times were over 400msec. As soon as I changed the device DNS from that IP to the ISP's DNS servers, response times went down to 5-50msec. I could then enable IPS and content filtering with no lag noticed on the workstation end. I'm not sure why no one suggested this (including Sophos support in a ticket I've had open for weeks about the issue), which is annoying because I don't feel I can rely on them for support when I need it.

    Now to figure out how to get L2TP remote access working... I got PPTP and SSL VPN working no problem, but am having problem with L2TP even after setting authentication to ANY via the CLI, ensuring the PSK matches between client and the XG, defining a scope in the L2TP settings, defining a L2TP connection and clicking "active" to turn it green, and so on... I guess I'll make another thread about that.

    Thanks,

    Chris