This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Remote access really slow

I've been getting complaints lately that SSL speeds are really slow, so I started testing myself.

On our work we have a SG330 with 9.705-3 connected to a 500/500 Mbps fiber connection.
At home I have a 1000/10000Mbps fiber connection.

Usually I use an IPSEC connection between home and work (at home through an XG firewall).

Iperf output with server on UTM-side and connected to my usual IPSEC-connection:

C:\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.45
Connecting to host 192.168.1.45, port 5201
[  4] local 172.16.16.100 port 55470 connected to 192.168.1.45 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec  12.2 MBytes   103 Mbits/sec
[  4]   1.00-2.01   sec  12.2 MBytes   102 Mbits/sec
[  4]   2.01-3.00   sec  12.1 MBytes   103 Mbits/sec
[  4]   3.00-4.00   sec  11.9 MBytes  99.8 Mbits/sec
[  4]   4.00-5.00   sec  12.5 MBytes   105 Mbits/sec
[  4]   5.00-6.01   sec  12.2 MBytes   102 Mbits/sec
[  4]   6.01-7.00   sec  11.8 MBytes  99.1 Mbits/sec
[  4]   7.00-8.01   sec  12.8 MBytes   106 Mbits/sec
[  4]   8.01-9.01   sec  12.8 MBytes   106 Mbits/sec
[  4]   9.01-10.00  sec  12.1 MBytes   102 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec   123 MBytes   103 Mbits/sec                  sender
[  4]   0.00-10.00  sec   123 MBytes   103 Mbits/sec                  receiver

iperf Done.

Not too bad with little over 100Mbps both up- and downloadspeed using iPerf.

Now when switching to SSL VPN this dramatically worsens to just under 3 Mbps

C:\iperf-3.1.3-win64>iperf3.exe -c 192.168.1.45
Connecting to host 192.168.1.45, port 5201
[  4] local 10.242.2.17 port 60582 connected to 192.168.1.45 port 5201
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-1.00   sec   640 KBytes  5.22 Mbits/sec
[  4]   1.00-2.01   sec   256 KBytes  2.08 Mbits/sec
[  4]   2.01-3.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   3.01-4.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   4.01-5.01   sec   256 KBytes  2.10 Mbits/sec
[  4]   5.01-6.01   sec   384 KBytes  3.15 Mbits/sec
[  4]   6.01-7.01   sec   128 KBytes  1.05 Mbits/sec
[  4]   7.01-8.00   sec   384 KBytes  3.16 Mbits/sec
[  4]   8.00-9.00   sec   256 KBytes  2.10 Mbits/sec
[  4]   9.00-10.00  sec   128 KBytes  1.05 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth
[  4]   0.00-10.00  sec  2.88 MBytes  2.41 Mbits/sec                  sender
[  4]   0.00-10.00  sec  2.73 MBytes  2.29 Mbits/sec                  receiver

iperf Done.

More than 30x slower using the exact same connections and at the time of testing just 1 other SSL client connected.

SSL VPN settings on UTM:
UDP port 443
Encryption: AES-128-CBC
Authentication: SHA1
Key size: 1024 bit
Compression: On

Can someone confirm SSL VPN remote access being this slow or better, have suggestions on how to improve if possible at all?

This thread was automatically locked due to age.

Parents

0 apijnappels over 4 years ago

Today I did some tests with a Sophos XG at the same site (connected to an addional IP of the ISP's line).

Throughput with XG was about 85Mbps, so a huge improvement over UTM. The XG was an XG230 appliance with the following settings:

SSL VPN settings on XG:
UDP port 443
Encryption: AES-256-CBC
Authentication: SHA2 256
Key size: 2048 bit
Compression: On

Looks like UTMs SSL remote access is somehow underperforming big time. Still not sure tough what UTM should be capable of in terms of throughput with SSL VPN.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 4 years ago in reply to apijnappels

Hello,

did you use UDP on SG as well?
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 4 years ago in reply to jprusch

Yes I did, as I wrote in my earlier post.
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 4 years ago in reply to apijnappels

Which earlier post?
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels over 4 years ago in reply to jprusch

In the starting post of this thread....

apijnappels said:
SSL VPN settings on UTM:
UDP port 443
Encryption: AES-128-CBC
Authentication: SHA1
Key size: 1024 bit
Compression: On
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to apijnappels

Guys, I always recommend not using compression.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 jprusch over 4 years ago in reply to BAlfson

Hi Bob,

you only mean this for SSL-Connections?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to jprusch

Yes, Philipp. The SSL VPN in UTM really puts a load on the processor already. Using compression can really choke it.

Not surprising that Arno found the XG was much faster when using compression - probably a better piece of code for that in XG.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 4 years ago in reply to jprusch

Yes, Philipp. The SSL VPN in UTM really puts a load on the processor already. Using compression can really choke it.

Not surprising that Arno found the XG was much faster when using compression - probably a better piece of code for that in XG.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data