Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 92 replies
  • Subscribers 55 subscribers
  • Views 14262 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

ARandomHerdFan

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!



This thread was automatically locked due to age.
Parents
  • 0

    As i am still not able to find any reliable source of this ThunderVPN Traffic: 

    I need a pcap of this traffic and a matching conntrack of this traffic:

    tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap 

    conntrack -L | grep 123 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I will try again and leave the capture running for about 10 or so minutes.

    conntrack did not return any results last time.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Try another shell at the same time with conntrack -E |grep 123 

    And put the ips into debug mode: service ips:debug -ds nosync 

    Send me the ips.log as well. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Conctrack -E | grep 123 returns this

    DESTROY] proto=udp      proto-no=17 orig-src=10.10.10.5 orig-dst=139.99.222.72 
    orig-sport=123 orig-dport=123 packets=1 bytes=76 reply-src=139.99.222.72 reply-d
    st=124.187.248.41 reply-sport=123 reply-dport=123 packets=1 bytes=76 mark=0x8003
     id=252905024 masterid=0 devin=Port3 devout=Port4 nseid=0 ips=11 sslvpnid=0 webf
    ltid=1 appfltid=11 icapid=0 policytype=2 fwid=48 natid=7 fw_action=1 bwid=0 appi
    d=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0xc sigoffload=0 inzone=1 outzo
    ne=2 devinindex=7 devoutindex=8 hb_src=1 hb_dst=0 flags0=0x108008000a20000a flag
    s1=0xd0020a00010 flagvalues=1,3,21,25,27,43,55,60,68,85,87,93,104,106,107 catid=
    0 user=59 luserid=31 usergp=64 hotspotuserid=0 hotspotid=0 dst_mac=30:5a:3a:c8:3
    c:3d src_mac=dc:a6:32:a5:f2:02 startstamp=1629192418 microflow[0]=INVALID microf
    low[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=8 tlsruleid
    =0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=1889 cur
    rent_state[1]=1889 vlan_id=0 inmark=0x0 brinindex=0 sessionid=738 sessionidrev=2
    5337 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid
    _dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id
    =NOT_OFFLOADED                         
    This extract is for the NTP server talking to the world which is never an issue.

     [UPDATE] proto=udp      proto-no=17 timeout=59 orig-src=10.10.10.30 orig-dst=16
    2.159.200.1 orig-sport=33823 orig-dport=123 reply-src=10.10.10.5 reply-dst=10.10
    .10.1 reply-sport=123 reply-dport=33823 [ASSURED] id=1617832768 masterid=0 devin
    =Port3 devout=Port3 nseid=0 ips=11 sslvpnid=0 webfltid=1 appfltid=11 icapid=0 po
    licytype=2 fwid=39 natid=6 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbapp
    catid=0 dpioffload=0xc sigoffload=0 inzone=1 outzone=1 devinindex=7 devoutindex=
    7 hb_src=1 hb_dst=0 flags0=0x8000a200008 flags1=0xd0020a00010 flagvalues=3,21,25
    ,27,43,68,85,87,93,104,106,107 catid=0 user=50 luserid=34 usergp=16 hotspotuseri
    d=0 hotspotid=0 dst_mac=30:5a:3a:c8:3c:3d src_mac=24:5e:be:13:90:57 startstamp=1
    629192435 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ip
    spid=0 diffserv=0 loindex=7 tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 clu
    ster_node=0 current_state[0]=1889 current_state[1]=1889 vlan_id=0 inmark=0x0 bri
    nindex=0 sessionid=537 sessionidrev=54603 session_update_rev=1 dnat_done=3 upcla
    ss=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 n
    hop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED 
    This one is from a QNAP NAS.

    This a logviewer extract of the same transactions I hope.
     

    That is part of the logviewer report. I will send the other files in a PM shortly.
    Ian

    Dumb question how to turn off IPS debug? I assume debug is still running because permission is denied to copy the file.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    repeat the same command to disable debug

    XG430_WP02_SFOS 18.0.5 MR-5-Build586# service -S |grep ips
    ips                  RUNNING,DEBUG

  • 0 in reply to LHerzog

    Thank you, I had assumed so, but was not able to access the file, hence the question.

    ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data
Unfiltered HTML