Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 8054 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Aspera p2p blows up Sophos SG330 UTMs

Tim LeDoux

2 SG330s in an ipsec vpn over wan with 1gb fiber connectivity.

Aspera p2p running at 300 Mb.  

Transferring over this p2p connection triggers massive latency over the vpn and results in dropped packets and spikes on other connected interfaces.  53 ms latency jumps past 100 and a continuous ping becomes unreachable over time.  Even after stopping the transfer there is a recovery time to get things back to "normal".  

The sophos cpu never rises over 20-50% and ram is plentiful. IP and advanced protection toggling has no effect.  Support says the ring buffers are overflowing and that could be the issue, but do not no of a way to increase the buffers permanently or why this is happening. 

Anyone have any thoughts to mitigate the issue? A particular golden mtu value?  

Perhaps a separate firewall for aspera transfers as the sophos cant keep up?  Thanks!  We have been battling this for many weeks now.



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Tim, and welcome to the UTM Community!

    Is this a VPN question that I should move to that forum?  If so, please show us pictures of the relevant configurations on both sides.  Has Support asked you for a packet capture?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, thanks for the reply.  Support has done captures and right now buffers are the only config proposal that has been made.  They are trying to find a way to make that change permanent.

    Aside from that the config is pretty straightforward. Anything that can be toggled or changed in the gui has been.  I am hoping someone maybe has seen this kind of thing before.  Moving to vpn might make sense.  Thanks!

     

    Tim

  • 0 in reply to Tim LeDoux

    Changing interface buffers was not the solution.  Open to any idea anyone might have.  Right now file transfers over 1 link are chewing up entirely different interfaces.

  • 0 in reply to Tim LeDoux

    Please show pictures of the Edits of IPsec Connection and Remote Gateway with 'Advanced' open.

    At the command line on one UTM, where 172.16.1.1 is the IP on the Internal interface and 172.16.2.1 is the IP of the Internal interface of the remote UTM, do the following command:

    ping -I 172.16.1.1 172.16.2.1 -s 1400 -M do

    Ctrl-c to stop it and change 1400 to 1450.  Increase and decrease until you find the maximum MTU without fragmentation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Tim LeDoux

    Please show pictures of the Edits of IPsec Connection and Remote Gateway with 'Advanced' open.

    At the command line on one UTM, where 172.16.1.1 is the IP on the Internal interface and 172.16.2.1 is the IP of the Internal interface of the remote UTM, do the following command:

    ping -I 172.16.1.1 172.16.2.1 -s 1400 -M do

    Ctrl-c to stop it and change 1400 to 1450.  Increase and decrease until you find the maximum MTU without fragmentation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML