Performance issue w/ SSL VPN Client


I'm testing this issue now with M290 (fw 12.10) and VPN client v12.10. M290 has 1G fiber as external connection. Issue seems to apply as same in Win 11 and OSX 14.2.1.

For few weeks now I have noticed that while connected through WG SSL VPN client network performance is quite poor. I haven't noticed that earlier and I have used ssl client quite alot. Just tested that if I'm connected w/ IKEv2 download speed is around 130-140Mbps but when connected through SSL VPN client download speed seems to be around 10Mbps.

I read already about performance issues while "Force all client traffic through tunnel" setting is disabled but I have that enabled...

Any ideas about this?


  • Options

    There is an onboard encryption chip on most if not all WG firewall CPUs, which does offload VPN encryption for IKE, but not for SSL, so IKE will be faster than SSL.

    "Force all client traffic through tunnel" makes Internet access from the SSLVPN client go to the WG firewall and then to the Internet, which will almost always be slower than using split tunneling where Internet access goes directly from the client to the Internet and not via the WG firewall.

    The default setup for IKEv2 also sends all traffic including Internet traffic over the VPN to the WG firewall.

  • Options

    Thanks for comment!

    I haven't noticed such impact earlier while using SSLVPN and that's why I started to ask about it. I have used several different models of WS's with SSLVPN (T15, M200, M290, M390 and M470) but never noticed such impact to DL/UL speeds. I mean with SSLVPN impact has been around 10-20% but now it seems to be 80-90% and M290 which I'm now using to test this is our NFR product which has no heavy loads of networkin at this moment.

  • Options
    edited February 8

    Perhaps @james.carson will comment here.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JRock
    The SSLVPN is expected to be less performant than the other VPN types the firebox offers. Performance is going to be a combination of what Firebox you're using, what your endpoint device's capabilities are, what type of data you're sending, and the speed/latency of your internet connection on both sides.

    If you'd like to look into if any changes can be made to speed it up, I'd suggest opening a support case.

    The most common complaint I see about SSLVPN performance is bad performance when using SMB (windows file sharing.) The issue is almost always due to asymmetric upload speed being very low on one side of the connection, and/or latency induced by the connection. See: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g33SSAQ&lang=en_US

    -James Carson
    WatchGuard Customer Support

  • Options

    Relatively slow transfers when using SMB will also be true for IKEv2 and IPSec VPN connections.

    The huge reduction is transfer rate using SSLVPN seems odd here.
    Not sure where to look for a cause though.
    Perhaps some software on the client PC which is intercepting the SSL session to do inspection?

  • Options

    At the moment I have used connection mainly for WebUI maintainance and cli connections so mainly HTTP/HTTPS/SSH. For testing I used ftp server (funet.fi) and External connection is 1G fiber from where I get download speed of around 800mbps from funet.fi.
    I have noticed this speed reduction in two different computers (Win11 and OSX) with totally different setup of firewall/virus detection software so it would be really weird that two computers has same "problem"?!?

    BTW I had have SSLVPN ver 12.10 for at least 2-3 months now.

Sign In to comment.