PDA

View Full Version : Dismally slow SSL VPN (SonicWall)



Faust
10-12-20, 03:26 PM
Howdy, all!

Long story short, the whole pandemic thing tossed some chaos into our day-to-day and who knows how long this whole working remotely thing is going to go on. When things went sideways the decision was made (which I objected to) to send the whole Engineering Department home with their workstations and dual monitor setups, to which I replied "OK, but for that to work you'll need to set up a VPN or something so they can access network resources". Were it me I would have had them leave their systems at work and remote in with TeamViewer or maybe AnyDesk. Water under the bridge, I suppose.

Problem: horrifically slow throughput across the SonicWall (wasn't my decision) SSL VPN. Like, 1 to 2Mbit/sec. Network shared Excel files frequently need to be opened in protected mode. Access loses it's mind more than is pleasant. If nobody else is connected via VPN, a single user can be kinda productive. During normal business hours people struggle.

WAN link is 200/20Mbps. Clients on the local network have no issues.

I know VPNs are always going to be slower than the line speed but this is ridiculous. From what I have read, SonicWall's implementation of VPN is the culprit in our case.

So I guess my question is, without having the engineers all bring their systems back to work and then remote in, what would be a practical alternative? Since the working remotely thing may come to an end in a month or two (or go on for another year, for all I can guess), I am hesitant to recommend spending a bunch of money on a solution. Would there be a VPN appliance we could set alongside the SonicWall that would have better throughput? I could probably get the powers that be to drop maybe $1000 to $1500 on a fix but that's about it. Or would there be other options?

Advice would be greatly appreciated. :)

Philip
10-13-20, 06:58 PM
I am not very familiar with the SonicWall appliances, but I would first try different configuration settings.

1. Often the MTU is an issue with VPNs because of additional tunneling/encapsulation. It is a good idea to have clients configured to use lower MTU, like ~1400 bytes.

1a. You may also check the MTU on the Sonicwall WAN interface. Lowering it to 1404 may yield a bit better performance, try it. There is a bit more info on configuring the Sonicwall through the web interface here, may want to check the current settings and compare to these notes:
https://www.sonicwall.com/support/knowledge-base/troubleshooting-network-throughput-latency-and-bandwidth-issues-with-a-sonicwall-utm/170504563958424/
https://www.sonicwall.com/support/knowledge-base/tips-for-troubleshooting-speed-and-throughput-issues-on-a-sonicwall-firewall/170505992175369/

1b. In the SonicWall admin panel: "security services > basic setup > change it to "performance optimized". This is important for VPN performance.

1c. In the Sonicwall admin panel: disable BWM

Reboot SonicWall after changing services.

2. When the throughput is bad, how loaded is the SonicWall? Most web admin panels have some type of indication of CPU/Network load. Check to see what VPN throughput your particular SonicWall model can support. The manufacturer numbers are usually theoretical/wildly optimistic. From what I've read, a SonicWall TZ400 gets about ~100 mbps VPN throughput, but it will vary depending on options. Here is a link to SonicWall's numbers by model:
https://www.sonicwall-sales.com/firewalls/which-model.html


3. What mode/encryption is the VPN using? IKEv2/IPsec is fast and a good choice usually.

Faust
10-19-20, 11:39 AM
Heya, Philip! Thank youo very much for the reply.

I'm right there with you when it comes to not being familiar with SonicWall appliances. I mean, I've been given admin rights when I wanted it to set up port forwarding and such, but it's (SonicWall's layout and such) so different from what I'm accustomed to that I prefer to just let the IT guys deal with it since it was their decision. I'd rather not make a mistake during operational hours and have the whole company grabbing their pitchforks.

I'll ask them to try the tweaks you mentioned. Although I have my doubts the SonicWall will be able to handle the number of concurrent users (likely the reason for such slow throughput), any improvement would be a godsend.

I'll let you know how it works out!

Thanks again, Philip. Your help is greatly appreciated.

Philip
10-19-20, 01:15 PM
No problem, hopefully some of these will help.