This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service. I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic. I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!

This thread was automatically locked due to age.

Top Replies

Andy S over 2 years ago in reply to emmosophos +2

Confirmed latest pattern update 18.18.62 appears to have resolved the issue, "offending" services have need re-enabled and no further hits int the logs (possibly since the previous update on 12th Oct?…

Parents

0 LuCar Toni over 2 years ago

The issue is under review of Sophos Labs.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 dakster over 2 years ago in reply to LuCar Toni

Thank you. There was a pattern update this AM to 18.18.58 but it didn't seem to address this. Please keep us up to date.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to dakster

So i need a tcpdump (pcap) of this traffic, like last time.

tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap

conntrack -L | grep 123

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 2 years ago in reply to dakster

So i need a tcpdump (pcap) of this traffic, like last time.

tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap

conntrack -L | grep 123

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 2 years ago in reply to LuCar Toni

any progres to report?

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to rfcat_vk

I cannot reproduce this on any of my firewalls. Therefor we need the dumps, as mentioned.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to LuCar Toni

I will see what I can capture. I see about 100 hits, but 288B of data (bytes) which makes capture difficult.

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 JesseTaylor over 2 years ago in reply to LuCar Toni

I had a case open for this issue. Support's answer was to have me create a workaround FW rule to allow NTP traffic at the top of the rule stack. The tech led me to believe this was being worked on and to wait for a pattern update. Not an acceptable answer, but eh, what else was I supposed to do? So my case is closed now.

That said, I'd be happy to try and collect what you need, as I disabled that FW rule just now and no surprise I'm getting tons of blocks for Thunder VPN again on UDP/123.

But, can you be a bit more specific on what to run and HOW to run the commands? I tried the first command you mentioned above from CLI by SSH'ing into my FW, but the command doesn't run as you've got it typed. The conntrak command doesn't seem to exist, as I recall when I tried it. Glad to try and help if you can help me with more detail.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to JesseTaylor

You need to perform both on the advanced Shell. Option 5 / 3.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 JesseTaylor over 2 years ago in reply to LuCar Toni

I've got a pcap file and the output from the conntrak command. How can I get them to you?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to JesseTaylor

You can send me a PM.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Kamil Brzozowski over 2 years ago in reply to LuCar Toni

I have the same problem. Every day 2-3K blocked connections due to ThunderVPN but I don't have this software installed on any device. The connected devices are an iPhone. Please help.
Cancel
Vote Up +1 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to Kamil Brzozowski

Hi folks,

there appears to be some progress on this issue, while still seeing thundervpn in the daily report and the GUI, I am also seeing NTP as being reported correctly in the daily reports.

The daily reports usually take at least 24 hours to catchup. I will investigate further.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 dakster over 2 years ago in reply to rfcat_vk

Let me know what you did differently, I'm not seeing any dramatic improvement. When I used the App rule to block level 5 (which I do) I see tens of thousands of Thunder VPN (Port 123) block exceptions every day. I'm at 18.18.60. So much that it impairs a number of IoT devices that depend on this. I had to put a Thunder VPN App allow rule in to stabilize my system. Would be REALLY NICE to see Sophos fix this. Thanks
Cancel
Vote Up 0 Vote Down

Cancel