Slow site to site IPsec VPNs

Hi, and welcome to the UTM Community!

Does doing #1 in Rulz give you any clues?

If not, you might have the MTU issue.  Does the Interface definition indicate an MTU of 576?

Cheers - Bob

Per your suggestion, and the suggestion of Sophos, I disabled IPS and tested it.  There was very little improvement.  I had support remote into my machine and do some troubleshooting.  The only things that he could come up with was that this is normal (9MB downloads from a charter 60/4 connection to a 100/100 connection), then he said that our 100/100 isn't enough to handle the amount of tunnels that we have (even though we're only using about 30MB of it), and that I should enable compression for all of the tunnels.

Also per Rule #7, bullet #3, I lowered the MTU from 1500 to 1350 on the external connection.

I guess I don't agree with the tech's answer, because I can hook a RED up to the device (without an IPsec tunnel up) and get 55/4 speeds through speedtest.  So, in my mind, there has to be something wrong with the IPsec, or the way that it flows through the UTM.

My suggestion wasn't to disable IPS, it was to examine the logs.  If you re-read #1, you might realize that disabling IPS makes no difference.  I doubt that lowering the MTU helps the problem you're having.  What do you see in the logs?

Cheers - Bob

My suggestion wasn't to disable IPS, it was to examine the logs.  If you re-read #1, you might realize that disabling IPS makes no difference.  I doubt that lowering the MTU helps the problem you're having.  What do you see in the logs?

Cheers - Bob

I'm sorry.  I misunderstood.  I've since re-enabled IPS and I currently see that there is quite a bit of UDP flood protection happening.  

You're the second person today that's misread or not completely read #1.  Would you be so kind as to make a suggestion on what I should change to get people to always look at the logs? TIA!

Cheers - Bob

Maybe just start out by saying "Check the logs (IPS, Firewall, and Application Control)".  To be honest, I read "always check the Intrusion Prevention", then skipped right over to the note where it says "When you disabled Intrusion Prevention..." Oh, I need to disable IPS... I didn't actually do it, until I received a message from Sophos in response to my ticket, saying to disable IPS.

On another original topic.. This doesn't seem to be an issue with all of my sites.  I have a site that's connected through the same model of hardware, to a 4G LTE connection, and I'm getting 35/35 speed tests.  It is definitely an issue with my charter sites, as none of them are getting better than a 15/2-3 connection.

If you've addressed the UDP Anti-DoS Flooding issue and that no longer appears in the Intrusion Prevention log, and you get full speed IPsec tunnels through non-Charter connections and through Charter when not using IPsec, I'm suspecting Charter.  They may be strangling UDP or have some other issue.  What do they say?

Cheers - Bob

I haven't done anything about the flooding issue as of yet.  I'll have to do some research on that.

You should be able to see in the Intrusion Prevention log what IPs need to be excluded in an Exception.

Cheers - Bob