Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 7586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow site to site IPsec VPNs

Elmers

Hello.  I have an issue where we have 9 remote sites connecting via Site-to-Site IPsec VPN and are very slow.  These remote sites are running Pepwave Max BR1s and are configured using AES-256, MD5, Group 5 and are on Charter cable modems.  When I hook directly up to the cable modem and go out I'm get 60/4, but 3/.5 when connected via the tunnel. Our UTM is a Sophos SG310 and is sitting on a 100/100 connection, which we were told would handle the amount of remote sites easily.  I've checked, and our speed is no where near the 100/100 at any time during the day.  Is there something else I should be checking?



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    Does doing #1 in Rulz give you any clues?

    If not, you might have the MTU issue.  Does the Interface definition indicate an MTU of 576?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Per your suggestion, and the suggestion of Sophos, I disabled IPS and tested it.  There was very little improvement.  I had support remote into my machine and do some troubleshooting.  The only things that he could come up with was that this is normal (9MB downloads from a charter 60/4 connection to a 100/100 connection), then he said that our 100/100 isn't enough to handle the amount of tunnels that we have (even though we're only using about 30MB of it), and that I should enable compression for all of the tunnels.

    Also per Rule #7, bullet #3, I lowered the MTU from 1500 to 1350 on the external connection.

    I guess I don't agree with the tech's answer, because I can hook a RED up to the device (without an IPsec tunnel up) and get 55/4 speeds through speedtest.  So, in my mind, there has to be something wrong with the IPsec, or the way that it flows through the UTM.

  • 0 in reply to Elmers

    My suggestion wasn't to disable IPS, it was to examine the logs.  If you re-read #1, you might realize that disabling IPS makes no difference.  I doubt that lowering the MTU helps the problem you're having.  What do you see in the logs?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm sorry.  I misunderstood.  I've since re-enabled IPS and I currently see that there is quite a bit of UDP flood protection happening.  

  • 0 in reply to Elmers

    You're the second person today that's misread or not completely read #1.  Would you be so kind as to make a suggestion on what I should change to get people to always look at the logs? TIA!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Maybe just start out by saying "Check the logs (IPS, Firewall, and Application Control)".  To be honest, I read "always check the Intrusion Prevention", then skipped right over to the note where it says "When you disabled Intrusion Prevention..." Oh, I need to disable IPS... I didn't actually do it, until I received a message from Sophos in response to my ticket, saying to disable IPS.

  • 0 in reply to BAlfson

    On another original topic.. This doesn't seem to be an issue with all of my sites.  I have a site that's connected through the same model of hardware, to a 4G LTE connection, and I'm getting 35/35 speed tests.  It is definitely an issue with my charter sites, as none of them are getting better than a 15/2-3 connection.

  • 0 in reply to Elmers

    If you've addressed the UDP Anti-DoS Flooding issue and that no longer appears in the Intrusion Prevention log, and you get full speed IPsec tunnels through non-Charter connections and through Charter when not using IPsec, I'm suspecting Charter.  They may be strangling UDP or have some other issue.  What do they say?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I haven't done anything about the flooding issue as of yet.  I'll have to do some research on that.

  • 0 in reply to Elmers

    You should be able to see in the Intrusion Prevention log what IPs need to be excluded in an Exception.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Elmers

    You should be able to see in the Intrusion Prevention log what IPs need to be excluded in an Exception.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML