Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 43597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site to site throughput

BMan
Situation - My group hosts 'private clouds' for a few clients. We are looking to migrate away from several Cisco devices for various reasons. The main one is bandwidth limitations. For this example we'll take two data centers where we have gigabit service. With no firewalls in place between two fully exposed VMs, we can obtain around 850Mb/s with reasonable stability over several hours. We stood up two virtual UTMs v9.315-2. Each UTM is on the same physical hardware where we achieve 850Mb/s. Hyper-V 2012R2 is the VM host. Each UTM is allocated 4.5GB mem, 150GB HDD, 4 cores of dual hex core 2.5Ghz Xeons.

Problem - Throughput of a tunnel between these two VMs achieves about 150Mb/s.

--Only the firewall is active, no other items such as IPS.
--Support path MTU discovery is on (both sides)
--Rulez have been reviewed and followed where applicable. This setup is fairly basic so most are not a factor.
--Nothing odd in logs
--Intel NICs on one end
--Broadcom NICs on other end
--CPU utilization is at 4% or so when we are hitting the 150Mb/s peak with about 80Mb/s stable.
--MTU between 1350-1500 tried in increments of 50. 1500 seems to give best performance.
--Testing with a 50GB file, CIFS and FTP

I called Sophos for some pre-sales tech support since we were considering becoming a reseller to our private cloud clients. They tell me their support is only for break-fix, no pre-sales.

Just for kicks, we stood up a couple TMG images and we acheived about 650Mb/s without any effort beyond a quick base config.

Our ideal target would be 800/Mbs but we are a long way from there at this point and may be on the wrong path. 

We are open to all input and have looked through many performance threads but most are for lower bandwidth allocations. 

Is it likely two SG 135's (or SG 210s) could achieve 800Mb/s in this given scenario? If we are fighting VM/NIC issues then we'll give that a try, however this doesn't fit as well into our all VM model and HA requires more hardware.


This thread was automatically locked due to age.
  • 0 in reply to Dev Ops

    So, I experience the same situation.

    Looking in this thread I'm afraid this will not get solved quickly.

    With SSL VPN S2S, I get about the the speed of my internet connection. (85-95Mbit/s) However, using IPSec, the numbers are between 20-25 Mbit/s.

    For testing purposes:

    • IDS Has been disabled
    • The same for protections, like UDP flooding
    • I followed the Rulez as well, nothing special there
    • The VPN is running on UDP to prevent any overhead

    Accessing Windows shares via SSL VPN is slow, by the way. Any ideas how to fix that?

    Edit: This is not the only topic regarding this issue... Some people sorted it by disabling PFS or using Blowfish for encryption, but I seem out of luck. It isn't my hardware, since SSL VPN, again, is utilising my full network speed.

    Both sides are running Intel Xeon processors, Intel 82576 NIC on one side, Intel i350 NIC on the other.

  • 0 in reply to Someone Else

    Hi,

     

    did you find any solution for this case ?

    We got the same problem with a SG230 HA Cluster ... very poor S2S IPsec performance, nothing helped yet ...

     

    Thanks

    greetz from Germany

  • 0 in reply to Rino Kaschel

    Hi, Rino, and welcome to the UTM Community!

    What do you learn from doing #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi BMan,

    Thank you for choosing Sophos.

    I think the issue can be resolved only through an active troubleshooting session where someone can monitor all the active logs and behavior. I can suggest you for raising a POC request to the Pre-Sales Team. They can provide you a live demo before the sales which could help you decide further business with our product.

    Thank You

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML