Slow VLAN to other VLAN file tranfer

Raffty,

so you are using XG as layer 3 device to route traffic between VLAN? Did you create the required Policy rule to allow transfer?

IPS scanning is not enabled?

Post a screenshot of the firewall rule configuration. I have 2 VLANs and I am not experiencing the same issue (unfortunately I am using a 100 Mb switch)

Hi Luk,

Yes, I used XG as layer to route traffic which also act as my DHCP server. For the rule, as of now I am using the LAN-LAN rule which is allowing all traffic (any-any) I dont have any fiilter yet per VLAN because my network is new and yet stable to easily isolate if there is any problem. The I found out that VLAN to other VLAN connection is slow compare to a traffice when using the same process on the same VLAN. 

Yes, on the Policy, IPS was disabled, no security scanning yet was implemented. The only policy that have IPS is my LAN-to-WAN for the internet.

On my setup, I have total of 12 VLAN's representing for every teams created on my 10GB XG port. Image attached is my LAN to LAN Policy.

Raffty

Thanks Raffty,

Can you share the output of the 4 commands I wrote in the previous reply?

Thanks

Hi lferrara,

Yes, please see below for the result.

 Thanks,

Raffty

Sorry first one seem's blur, txt based to be sure.

Sophos Firmware Version SFOS 15.01.0 MR-3

console> sh ips-settings
-------------IPS Settings-------------
stream on
lowmem off
maxsesbytes 0
maxpkts 8
mmap off
enable_appsignatures on
http_response_scan_limit 65535

-------------IPS Instances------------
IPS CPU
1 2

console> sh advanced-firewall
Strict Policy : on
FtpBounce Prevention : control
Tcp Conn. Establishment Idle Timeout : 10800
Fragmented Traffic Policy : allow
Midstream Connection Pickup : off
TCP Seq Checking : on
TCP Window Scaling : on
TCP Appropriate Byte Count : on
TCP Selective Acknowledgements : on
TCP Forward RTO-Recovery[F-RTO] : off
TCP TIMESTAMPS : off
Strict ICMP Tracking : off

Bypass Stateful Firewall
------------------------
Source Genmask Destination Genmask

NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP

Raffty,

from your reports, you do not even reach 100Mb. I would advise you to open a ticket with support and also send an email to sachingurung to check if it can follow your case internally too.

Make sure to configure all the ports in Full Duplex where the speed is not Auto but fixed. Also I would check a flow between 2 switches ports without passing through the XG and check the performance.

I remember some time ago that even the switch was not able to handle the 10G traffic (it was a bug inside the switch OS).

After these tests, open a ticket with the Support and let us know!

Thanks

Hi lferrara,

Yes, I already did created a ticket and I am waiting for the support together with the local support.

Ports are already configured in Full Duplex, in terms of 10GB switch capability, I already tested that, the switch can handle 10GB speed and I already tested that. If my servers and client are on the same VLAN, I dont have problem with speed at all, the only problem is when they were in separate VLAN's. Also tested a separate test environment not using my production switch and I still enocunter the same issue. Therefore, I can now conclude that this is not an Internal issue. Thank you so much for your help and ideas Iferrara.

Thanks,

Raffty

Hi Rafty,

@Varun, in the FW-rule statistics; the "In/Out: amount of traffic (in bytes) coming in or going out" is calculated over time which amounts to what traffic did pass through from the FW-rule. I think that's not the problem. Check #4 in my guide here.

Take SSH to XG and go to option 4. Device Console, Run a command, system diagnostics utilities bandwidth-monitor

Monitor the throughput rate on the VLAN interface. If the amount of traffic rate on a particular interface breaches the threshold value then the issue might be high transmission rate.

Thanks

Hi Sachin,

Below is the result of the bandwidth monitor command.

Thanks

Raffty

Thanks Raffty.

The output from bandwidth command is executed during a huge network traffic? I mean, did you execute the command while you tried to move let's say 200 GB of file from one VLAN to another?

I am sure that there is a bug on the FlexiPort module (not HW but SW)

Thanks

Hi Luk,

When I run the command, I am in the production mode. Therefore, my users probably did transfer files from their PC's to respected servers they used. Thank you for pointing this out that this should be a Sophos issue. On my perspective, it's not just bug in the flexiport, I think it is in the Sophos routing because I also tested before the built in port of my XG, I used the 1GB port as my LAN port and simulated the same scenario transferring files from VLAN to another and I still encountered the same issue. Please note on this test, it was purely separated in my production, therefore my production internal switch was not involve, only 1 switch and 2 clients configured connected in different VLAN's were used. :)

We are an entertainment media company that's why transfer speed is very critical on our end and I did not expect that I will be encountering this in Sophos, when I was still using the opensource PfSense as my firewall I did not experienced this kind of issue before. I was also been supported by our local Sophos Support partner and they said they will escalate the issue to the 2nd level support.

Thanks,

Raffty

Hi Luk,

When I run the command, I am in the production mode. Therefore, my users probably did transfer files from their PC's to respected servers they used. Thank you for pointing this out that this should be a Sophos issue. On my perspective, it's not just bug in the flexiport, I think it is in the Sophos routing because I also tested before the built in port of my XG, I used the 1GB port as my LAN port and simulated the same scenario transferring files from VLAN to another and I still encountered the same issue. Please note on this test, it was purely separated in my production, therefore my production internal switch was not involve, only 1 switch and 2 clients configured connected in different VLAN's were used. :)

We are an entertainment media company that's why transfer speed is very critical on our end and I did not expect that I will be encountering this in Sophos, when I was still using the opensource PfSense as my firewall I did not experienced this kind of issue before. I was also been supported by our local Sophos Support partner and they said they will escalate the issue to the 2nd level support.

Thanks,

Raffty