Results 1 to 4 of 4

Thread: Dismally slow SSL VPN (SonicWall)

  1. #1
    SCSI Dude Faust's Avatar
    Join Date
    Apr 2000
    Location
    Huntington Beach, CA
    Posts
    8,711

    Dismally slow SSL VPN (SonicWall)

    Howdy, all!

    Long story short, the whole pandemic thing tossed some chaos into our day-to-day and who knows how long this whole working remotely thing is going to go on. When things went sideways the decision was made (which I objected to) to send the whole Engineering Department home with their workstations and dual monitor setups, to which I replied "OK, but for that to work you'll need to set up a VPN or something so they can access network resources". Were it me I would have had them leave their systems at work and remote in with TeamViewer or maybe AnyDesk. Water under the bridge, I suppose.

    Problem: horrifically slow throughput across the SonicWall (wasn't my decision) SSL VPN. Like, 1 to 2Mbit/sec. Network shared Excel files frequently need to be opened in protected mode. Access loses it's mind more than is pleasant. If nobody else is connected via VPN, a single user can be kinda productive. During normal business hours people struggle.

    WAN link is 200/20Mbps. Clients on the local network have no issues.

    I know VPNs are always going to be slower than the line speed but this is ridiculous. From what I have read, SonicWall's implementation of VPN is the culprit in our case.

    So I guess my question is, without having the engineers all bring their systems back to work and then remote in, what would be a practical alternative? Since the working remotely thing may come to an end in a month or two (or go on for another year, for all I can guess), I am hesitant to recommend spending a bunch of money on a solution. Would there be a VPN appliance we could set alongside the SonicWall that would have better throughput? I could probably get the powers that be to drop maybe $1000 to $1500 on a fix but that's about it. Or would there be other options?

    Advice would be greatly appreciated.
    "Today is a black day in the history of mankind."

    - Leo Szilard

  2. #2
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,683
    Blog Entries
    6
    I am not very familiar with the SonicWall appliances, but I would first try different configuration settings.

    1. Often the MTU is an issue with VPNs because of additional tunneling/encapsulation. It is a good idea to have clients configured to use lower MTU, like ~1400 bytes.

    1a. You may also check the MTU on the Sonicwall WAN interface. Lowering it to 1404 may yield a bit better performance, try it. There is a bit more info on configuring the Sonicwall through the web interface here, may want to check the current settings and compare to these notes:
    https://www.sonicwall.com/support/kn...0504563958424/
    https://www.sonicwall.com/support/kn...0505992175369/

    1b. In the SonicWall admin panel: "security services > basic setup > change it to "performance optimized". This is important for VPN performance.

    1c. In the Sonicwall admin panel: disable BWM

    Reboot SonicWall after changing services.

    2. When the throughput is bad, how loaded is the SonicWall? Most web admin panels have some type of indication of CPU/Network load. Check to see what VPN throughput your particular SonicWall model can support. The manufacturer numbers are usually theoretical/wildly optimistic. From what I've read, a SonicWall TZ400 gets about ~100 mbps VPN throughput, but it will vary depending on options. Here is a link to SonicWall's numbers by model:
    https://www.sonicwall-sales.com/fire...ich-model.html


    3. What mode/encryption is the VPN using? IKEv2/IPsec is fast and a good choice usually.
    Linux is user friendly, it's just picky about its friends...
    Disclaimer: Please use caution when opening messages, my grasp on reality may have shaken loose during transmission (going on rusty memory circuits).
    ๑۩۞۩๑

  3. #3
    SCSI Dude Faust's Avatar
    Join Date
    Apr 2000
    Location
    Huntington Beach, CA
    Posts
    8,711
    Heya, Philip! Thank youo very much for the reply.

    I'm right there with you when it comes to not being familiar with SonicWall appliances. I mean, I've been given admin rights when I wanted it to set up port forwarding and such, but it's (SonicWall's layout and such) so different from what I'm accustomed to that I prefer to just let the IT guys deal with it since it was their decision. I'd rather not make a mistake during operational hours and have the whole company grabbing their pitchforks.

    I'll ask them to try the tweaks you mentioned. Although I have my doubts the SonicWall will be able to handle the number of concurrent users (likely the reason for such slow throughput), any improvement would be a godsend.

    I'll let you know how it works out!

    Thanks again, Philip. Your help is greatly appreciated.
    "Today is a black day in the history of mankind."

    - Leo Szilard

  4. #4
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    10,683
    Blog Entries
    6
    No problem, hopefully some of these will help.

Similar Threads

  1. sonicwall
    By zdav27 in forum Network Security
    Replies: 1
    Last Post: 10-25-06, 06:45 AM
  2. SonicWall VPN
    By Tripsetrax in forum Networking Forum
    Replies: 4
    Last Post: 05-09-06, 05:18 AM
  3. sonicwall/VPN
    By m4a2t0t in forum Networking Forum
    Replies: 3
    Last Post: 09-07-04, 03:36 PM
  4. one-to-one NAT on sonicwall TZW
    By m4a2t0t in forum Networking Forum
    Replies: 4
    Last Post: 10-06-03, 05:55 PM
  5. IRC and sonicwall
    By harley1019 in forum Networking Forum
    Replies: 1
    Last Post: 06-28-03, 06:07 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •