Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.

Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service.   I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic.  I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!

[edited by: ARandomHerdFan at 8:17 PM (GMT -7) on 20 Jul 2021]
  • Hello Community!

    For the community members following and participating in this thread. 

    Would it be possible for you to share any Case ID you have created for this, and if you haven't please create one and provide the following or update the ticket with the following:

    1. Run IPS in debug mode (# service ips:debug -ds nosync) 
    2. # tcpdump -ni any port 123 -b -w /tmp/thundervpn.pcap 
    3. # conntrack -L | grep 123 
    4. Screenshot of the LogViewer showing the application being marked as ThunderVPN with the destination port
    5. Current IPS Pattern
    6. Firmware and Hardware model

    Note: Start pcap/log collection first and then recreate issue/logs and stop pcap/log

    I would like to make sure Labs has all the pcaps and conntrack entries with the service running in debug mode as they have requested this way.


    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Confirmed latest pattern update 18.18.62 appears to have resolved the issue, "offending" services have need re-enabled and no further hits int the logs (possibly since the previous update on 12th Oct?). Providing further details for the Labs seems pointless now as issue is no longer occurring.
    It would be interesting to know what and why this was happening as on paper some dubious Android VPN service shouldn't be confused with a simple NTP request...?

  • It is not that easy to point the issue in this case. It seems to be not the same issue like last time. 

    BTW: Take a look at this VPN provider and look at  such a tcpdump, they try to hide themself in such packets. 


  • In our case, the blocked traffic (one hit a day only at exactly the same times each day) came from our 2x web servers and unless they had been compromised, there were only a few possible culprits, the obvious one was Certify The Web, sure enough disabling this cured the problem. Thunder VPN is an Android only service so it hardly seems likely to be coming form a web server...

  • Everything is working fine now. Thank you. Good job.

  • Hi,

    mine is looking good also. Now we need to get NTP classification fixed so it is classified correctly instead of unclassified.


    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
Reply Children
No Data