Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 25 subscribers
  • Views 4852 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshooting Guide - How to achieve high VPN speed

taowang

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Table of Contents

Overview

This article explains network speed, how to achieve high speed in VPN, and how to troubleshoot problem of slow VPN speed.

It applies to all VPN, including remote access / site-to-site IPsec / SSL VPN.

Facts about network speed

Network speed between 2 hosts is determined by:

  • bandwidth between them. Bandwidth is the maximum speed can be achieved with 0 latency and 0 packet loss
  • latency of the links between them. Latency reduces network speed, even if it is only 1ms.
  • packet loss on the links between them. Packet loss triggers TCP retransmission, and reduces speed.

Note:

Facts about SMB transfer speed

SMB, Windows File Share is quite sensitive to latency and packet loss.

The following speed was tested in a 1Gbps link with 0 packet loss:

  • < 1ms latency, SMB speed is 247MB/s
  • 5ms latency, SMB speed is 18MB/s
  • 10ms latency, SMB speed is 10.6MB/s
  • 15ms latency, SMB speed is 8.32MB/s

In comparison, the HTTP transfer speed can reach 51.2MB/s on a link with 15ms latency and 0 packet loss.

How to achieve high speed in VPN

Note:

  • VPN speed is always lower than the network speed, due to the delay caused by packet encryption / decryption.
  • VPN connection is sensitive to packet loss. Packet loss that is higher than 2% reduces VPN speed drastically from my personal experience.

To achieve high VPN speed in the following typical VPN setup:

Please make sure

  1. there is 0 packet loss between the WAN IP of the firewalls.

  2. low network latency between the WAN IP of the firewalls.
    Here are the steps to check the packet loss and network latency between the Sophos firewall WAN IP and the remote firewall WAN IP:
    • Log on to the Sophos firewall SSH terminal using the admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
    • Go to 5. Device Management > 3. Advanced Shell, and run the following command

      for Sophos Firewall OS v19.x
      ping -a SophosFirewall_WAN_IP REMOTE_WAN_IP -s 1200 -c 50

      for Sophos Firewall OS v18.x
      ping -i SophosFirewall_WAN_IP REMOTE_WAN_IP -s 1200 -c 50

      The above command sends 50 ping requests from the specified Sophos firewall WAN IP to the remote firewall WAN IP with ICMP data payload of 1200 bytes.

  3. there is 0 packet loss and low latency between the firewall LAN IP and their computers.
    It can be verified by
    • ping from firewall #1 LAN IP to computer #1, and then
    • ping from firewall #2 LAN IP to computer #2

  4. test the VPN speed between computer #1 and computer #2 by ping or file download. Don't ping from firewall LAN IP to computer in remote VPN networtk, as firewall LAN IP might not be in VPN local/remote network, which causes ping failure.

What to do for the problem of slow VPN speed

If there is still problem of slow VPN speed,

  • check if the VPN connection is used by any unexpected traffic
  • make sure speed and duplex mode of NIC on computers, firewalls and every involved network device are correct
  • check if slow speed happens to a particular computer or all computers. That will help us to find out if slow speed is caused by a particular network device.
  • make sure antivirus and host IPS are disabled on computer during speed test. Remember to enable them after the test.
  • check if Sophos Firewall is cause of slow speed:
    1. Create a new plain firewall rule for the traffic, with all scanning disabled.



    2. Toggle SSL/TLS inspection engine off. Go to Sophos Firewall webadmin > Rules and policies > SSL/TLS inspection rules > SSL/TLS inspection settings > Advanced settings > SSL/TLS engine: Disabled. Remember to enable it after troubleshooting.




    3. Disable ATP globally. Go to Sophos Firewall webadmin > Advanced protection > Enable advanced threat protection: OFF. Remember to turn it ON after troubleshooting.


    4. Disable firewall-acceleration.
      • Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
      • Go to 4. Device Console, and run the following commands
        console> system firewall-acceleration disable
        Firewall Acceleration Disabled Successfully.
        console> system firewall-acceleration show
        Firewall Acceleration is Disabled in Configuration.
        Firewall Acceleration is Unloaded.

    5. check if CPU is overloaded. Personally, I consider CPU idle < 20% as overloaded.
      Go to Sophos Firewall webadmin > Diagnostics > System graph, check idle CPU.
      In the screenshot below, idle CPU is 91.56% currently, therefore, CPU is not overloaded.

Edition History

2023-01-03, update ping command for different Sophos Firewall OS version. Thanks to Marlone Raphael Alganes

2022-10-25, first version



Edited Tags for testing
[edited by: emmosophos at 9:55 PM (GMT -7) on 13 Sep 2024]
Unfiltered HTML