Sophos XG85w - SSL VPN works in TCP but not in UDP

Hi Raphaël,

You need to download again the configuration file for the SSL VPN Client if you change from TCP to UDP. Or you can manually change the configuration from which is stored in C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config and change the line "proto tcp" by "proto udp".

Regarding the slow TCP connection, I would take a look at the MTU. You need to go in Network > Interfaces, here you modify your WAN interface and you go into "Advanced Settings", you can lower the MTU, I'd try 1400 and you need to modify the MSS aswell, 40 under the MTU, so 1360 for example.

Hi Thibaut,

Thank you for you response.

I already download the configuration file with after change the protocole to UDP but it doesn't work.

For the MTU and MSS and could try to change it. But we'll it impact internet traffic ? And what could be the gain?

Thanks for you help

Hi Raphaël,

The MTU is the maximum length of a packet over the network. The default value is 1500 and sometimes some Internet connexion can't accept those packet length and are dropping packets that exceed their capacity. This could be a reason for slow SSL VPN. By setting it lower, your Sophos will fragment the packets to smaller ones, that should not impact your Internet traffic.

Btw, from LAN to WAN, do you experience slow Internet connexion or not?

Hello,

Today, I tried to reconfigure the VPN but there is still the problem.

The last firmware is installed.

For now I'm still using TCP protocol and the problem is that the connection with SSL VPN is very slow and unstable. Ping response is between 25ms and 1100ms ! I tried with PPTP and it's worse, I got a timeout each 15 ping...

The MTU is configured right for our internet connection and internet access from LAN is very good.

I know that a xg85w is not the Rolls from Sophos but this VPN speed is terrible and I can't increase is... The firewall seems ok with 18% CPU usage and 45% memory usage.

Does anybody have an idea of the problem?

Thank you

Hello,

Today, I tried to reconfigure the VPN but there is still the problem.

The last firmware is installed.

For now I'm still using TCP protocol and the problem is that the connection with SSL VPN is very slow and unstable. Ping response is between 25ms and 1100ms ! I tried with PPTP and it's worse, I got a timeout each 15 ping...

The MTU is configured right for our internet connection and internet access from LAN is very good.

I know that a xg85w is not the Rolls from Sophos but this VPN speed is terrible and I can't increase is... The firewall seems ok with 18% CPU usage and 45% memory usage.

Does anybody have an idea of the problem?

Thank you

Hi Raphael,

Decrease the Key size to 1024 bits in the SSL VPN settings. Any improvement?

NOTE: Reimport a fresh configuration file on the VPN client after the changes.

Thanks

Hi sachingurung,

Thank you for you answer. I have already set encryption to all minimum settings include key size to 1024 but there is still no improvement.

Here is transfer speed information :

Bandwidth speed on Sophos site : DL:40Mbit/s UL:10 MBit/s.

Bandwidth speed on the remote site DL:200Mbit/s UL:20Mbit/s.

With the VPN connection on, I'm copying files on the NAS at 200KB/s. Sometimes it reach a peak at 1MB/s and crash again sometimes below 100KB/s.

Without VPN (access to NAS via public IP) the transfer speed is 2.5MB/s and pretty stable.

My question is : are the speed transfer with VPN acceptable? Is it the max speed that I can have with the internet connection ? What is the tolerable loss with VPN ?

Thank you

Hi Rapheal,

Verify/configure the following steps:

1. No QoS on SSL VPN network pool

2. IPS= None in the VPN_LAN & LAN_VPN FW-Rule.

3. In Network > Interfaces>"Advanced Settings", lower the MTU, I'd try 1400 and you need to modify the MSS aswell, 40 under the MTU, so 1360 for example.

Any luck with that?

Hello,

No QoS on the SSL VPN network pool and no IPS in firewall rules.

The MTU seems good to our internet provider, internet speed from the sophos site si really good. If I change the MTU in the interface will users have a disconnection ?

Thank you for you help

Yes, a minor glitch will be experienced by the users connected to that network interface. 

Thanks

Ok, I did the change and no improvement on the speed.

What do you think of the copy speed ? I think it's slow but maybe it's the best that we can have with these internet connections and the XG85w.

For you what should be the transfer speed with SSL VPN if the speed is 2.5MB/s withtout VPN ?

Thank you for you response

Do you have an idea about my last post ?