Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 24330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.351-3 seems to have broken Site2Site

Ben

after upgrading both my home and my test site to 9.351-3 inbound traffic only gets as fast as 100kb/sec or the connection drops out alot.



This thread was automatically locked due to age.
  • Hi Ben,

    there weren't any changes in 9.351 to VPN or to QoS, other than a couple cosmetic fixes. It seems unlikely the firmware is directly responsible. Next steps should probably be some networking level troubleshooting.

    Are there any speed issues when connecting to the internet?
    If you send small ping packets over the tunnel, is the response time what you expect?
    If you send large (~1000-1300 byte) ping packets over the tunnel, does the latency increase more than you would expect?

    If you repeat the tests over the tunnel between the firewall public IPs, do you see the same results?
    Do you see anything interesting in a packet capture of the encrypted packets, such as excessive fragmentation, retransmission requests or errors?

    That's at least a starting point for troubleshooting. Also, depending on what type of vpn you're using,. you might try switching to a different technology and see if the problem changes in any way. So if you're using IPsec, try a red or ssl vpn, and vice versa.
  • in reply to AlanT
    Hi, ya i just went back on earlier firmwares(and configurations) and its still slow, so it must be something else.
    RED seems to be unaffected. Really odd but thanks for your input, Much appreciated!
  • You can also check your NAT-T and ECN settings.
  • in reply to Scott_Klassen
    thanks for the hints, i put back on a config that was working 100% but its not right now. RED works 100% (changed over to that) so it must be something that cripples ssl AND ipsec site2site but not RED. So either Provider or vServer service i guess...
  • in reply to Scott_Klassen
    interesting enough, this only affects when i am uploading to site2site. So S2S is only slow in one direction. RED works with full bandwith. QoS is off, IPS is off. This is really weird since it used to work for month. Also rebooted my esxi just incase. Nothing helps.
  • in reply to Ben
    Any update on this? I see that 9.351 has been pushed to up2date. I would hate to run this update and then have issues with site to site.

  • The main thing I can think of for a cause would be an MTU issue.

  • in reply to htguru
    I was not able to fix the problem but it does not seem to be caused by the sophos update so i'd see no problem updating it. The problem seems to be caused by the vserver hoster who must have changed something the same time i did the update on the firewall.