Video conference performance drops

Hi and welcome to the UTM Community!

You'll want to be aware of Rulz, especially #1 because we still need to know what's in the IPS log when two devices are on Zoom.

Also, you didn't say what device UTM is running on or what version you're using - 9.506?

Cheers - Bob

Hi,

Did you check if there is an QoS configurations you are not aware about?

You can also check the total bandwidth that the UTM receives from the ISP by downloading a file via wget command. Alongside, look for any increase in dropped and error packets recorded on the interfaces by executing the "watch ifconfig" command in the shell.

Thanks,

We are running 9.509-3 Below is a screenshot of a portion of the IPS Live Log while the video conference is happening. Eth0 is LAN & Eth1 is WAN

Thanks!

At the moment, QoS is disabled on all interfaces.

Thanks Sachingurung, ill try those commands and see what shows up

In general when posting here, one would want to obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That let's us see immediately which IPs are local and which are identical.

Is that a picture from before you disabled anti-flooding for UDP?  What's in the log after it's disabled?

Cheers - Bob

Sorry about that, here are some more detailed logs

I Disabled IPS & UDP\ICMP Flooding > Enabled the Live Log > Started the conference and connected 2 other users to it. 

This is this appeared right when the Live Log was started, but nothing else appeared. I left the video feed going for a couple minutes

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SDF Version 1.1 <Build 1>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_DNS Version 1.1 <Build 4>

2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>

2018:08:29-11:25:47 utm snort[20788]: Commencing packet processing (pid=20788)

2018:08:29-11:25:47 utm snort[20788]: Decoding Raw IP4

 

 

I then Enabled UDP\ICMP Flooding > Started a Live Log > began a new meeting. 

The initial UDP Flood detected messages occured when the meeting was started

The remainder of the logs started to appear (11:40:46) when the 2nd device joins the meeting and video\audio quality take the nose dive

 

 

 

I hope that helps.

Instead of disabling outright, make an exception for UDP flooding for traffic from or to 162.255.7.121.

What happens if the second station joins the meeting first - does it have issues even when alone?

Cheers - Bob

The order in which I join the devices makes any difference.

I created a UDP Flooding exception for that IP both as source and destination but still no luck.

The logs show that the packets are going to multiple external servers

I adjusted the Exception rule to the one below 

 Skip these checks: IPS & UDP Flood

All requests Coming from these source networks: Internal (Network) + WAN (Address)

AND

Going to: Any

I then created a second rule which is basically the inverse of the one above

Skip these checks: IPS & UDP Flood

All requests Coming from these source networks: Any

AND

Going to: Internal (Network) + WAN (Address)

No more logs appeared in the Sophos but after connecting a second device to the meeting the packet loss jumped right back up to 90%+

"the packet loss jumped right back up to 90%+"

What are you seeing in the packet capture?

Cheers - Bob

With the IPS Exceptions running I dont see anything in the Sophos IPS logs. My comment about the 90% packet loss is directed to Zoom's Settings and Statistics as seen below.