We are seeing some performance issues on our IPSEC VPN connected WAN. We have a remote office connected through a S2S IPSEC VPN. Both WAN connections are Comcast Business 150/25 Mbps We are both on SG210 appliances - latest and greatest firmware as of last week. 70% Remote branch users are on branch local 2008R2 Terminal Servers running Outlook and access Exchange Server at Corporate Outlook is NOT using cached mode because of Terminal Services During the day, performance of Outlook will degrade to a complete standstill for TS users No spikes on either firewall in traffic - traffic patterns look consistent day-to-day and week-to-week Rebooting corporate FW clears up problem until it degrades again Other factors/information We upgraded to Exchange 2013 and put a server/DAG at the remote site to give them local performance improvement When we switched to the new DAG, performance became worse for the users and Exchange threw a bunch of errors related to communication timing out between the servers We assume something is filtering the traffic but not sure what - everything across the VPN should not be filtered? Remote access to servers and resources seems to be fine There is a setting in Exchange 2013 for Outlook Anywhere that when you click on this setting, you should get a pretty instantaneous reponse When we click on this setting for the DAG at the remote office, the information either times out or it takes 3-5 minutes on average to return the configuration information Ping times between the servers are solid at 25-40ms I have made sure all DNS records are proper and all forwarding etc is pointing proper To troubleshoot/rule out filtering I have turned off ALL filtering I can find - web filtering, IPS, Application, QoS I have created rules in the firewalls to allow for RemoteLAN <-> CorpLAN ANY protocols My technical consultant (very bright) says he has Comcast clients with LESS bandwidth doing the exact same thing with MORE users connecting and MORE data being pushed between sites. Difference being they are not on SOPHOS Right now the DAG is sitting as a shadow/copy because we cannot make it the primary DB for my remote users because of problems. Help!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S IPSEC VPN throughput/performance issue with Exchange

ITManager over 9 years ago

We are seeing some performance issues on our IPSEC VPN connected WAN.

We have a remote office connected through a S2S IPSEC VPN.
Both WAN connections are Comcast Business 150/25 Mbps
We are both on SG210 appliances - latest and greatest firmware as of last week.
70% Remote branch users are on branch local 2008R2 Terminal Servers running Outlook and access Exchange Server at Corporate
1. Outlook is NOT using cached mode because of Terminal Services
During the day, performance of Outlook will degrade to a complete standstill for TS users
1. No spikes on either firewall in traffic - traffic patterns look consistent day-to-day and week-to-week
Rebooting corporate FW clears up problem until it degrades again

Other factors/information

We upgraded to Exchange 2013 and put a server/DAG at the remote site to give them local performance improvement
When we switched to the new DAG, performance became worse for the users and Exchange threw a bunch of errors related to communication timing out between the servers
We assume something is filtering the traffic but not sure what - everything across the VPN should not be filtered?
Remote access to servers and resources seems to be fine
There is a setting in Exchange 2013 for Outlook Anywhere that when you click on this setting, you should get a pretty instantaneous reponse
1. When we click on this setting for the DAG at the remote office, the information either times out or it takes 3-5 minutes on average to return the configuration information
Ping times between the servers are solid at 25-40ms

I have made sure all DNS records are proper and all forwarding etc is pointing proper

To troubleshoot/rule out filtering I have turned off ALL filtering I can find - web filtering, IPS, Application, QoS

I have created rules in the firewalls to allow for RemoteLAN <-> CorpLAN ANY protocols

My technical consultant (very bright) says he has Comcast clients with LESS bandwidth doing the exact same thing with MORE users connecting and MORE data being pushed between sites. Difference being they are not on SOPHOS

Right now the DAG is sitting as a shadow/copy because we cannot make it the primary DB for my remote users because of problems.

Help!

This thread was automatically locked due to age.

0 Ben over 9 years ago

i have a simillar problem with ipsec over ipv6 - seems to be a ipsec problem

---

Sophos UTM 9.3 Certified Engineer
Cancel
Vote Up 0 Vote Down

Cancel
0 ITManager over 9 years ago

Is yours specifically with Exchange or all IPSEC traffic? We may be seeing it with Veeam as well (we replicate backups - but throttle the traffic so I know this is not causing the problem). Remote access across the tunnel to resources in the branch office for us is fine though. RDP works great as well as network browsing/file transfers.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago

Hi, and welcome to the UTM Community!

Folks think that disabling IPS disables Anti-DoS/Flooding, but it does not. Does #1 in Rulz give you any clues?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ITManager over 9 years ago in reply to BAlfson

Bob - I did find your VERY handy Rulz page from other posts and have gotten through most of it. I actually have a ticket open with Support and given them access to both nodes.

I will post here when findings are complete or if Rulz clear anything up!
Cancel
Vote Up 0 Vote Down

Cancel