This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Video conference performance drops

If two devices on the network join a Zoom meeting, the video drops to about 5 fps and audio suffers just as poorly.

I can recreate the issue consistently and the issue only starts once the second device joins the meeting from LAN or WLAN and with multiple devices

 

Zoom Statistics say that there is 90%+ packet loss Sending & Receiving and warns that there is low bandwidth.

 

The Sophos is using less than 10Mbps for the video calls + normal network traffic (Max available Bandwidth 65Mbps Down & 10Mbps Up)

System Resource Usage is acceptable and never pins during this issue.

 

I have disabled IPS & UDP Flooding after noticing lots of UDP Flood logs but this did nothing.

 

 

What other logs or settings should I check to make sure its not a problem with the Sophos?

 

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi and welcome to the UTM Community!

    You'll want to be aware of Rulz, especially #1 because we still need to know what's in the IPS log when two devices are on Zoom.

    Also, you didn't say what device UTM is running on or what version you're using - 9.506?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We are running 9.509-3 Below is a screenshot of a portion of the IPS Live Log while the video conference is happening. Eth0 is LAN & Eth1 is WAN

     

    Thanks!

  • In general when posting here, one would want to obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That let's us see immediately which IPs are local and which are identical.

    Is that a picture from before you disabled anti-flooding for UDP?  What's in the log after it's disabled?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry about that, here are some more detailed logs

     

    I Disabled IPS & UDP\ICMP Flooding > Enabled the Live Log > Started the conference and connected 2 other users to it. 

    This is this appeared right when the Live Log was started, but nothing else appeared. I left the video feed going for a couple minutes

    2018:08:29-11:20:10 utm snort[4673]: 4xx: 0
    2018:08:29-11:20:10 utm snort[4673]: 5xx: 0
    2018:08:29-11:20:10 utm snort[4673]: 6xx: 0
    2018:08:29-11:20:10 utm snort[4673]: 7xx: 0
    2018:08:29-11:20:10 utm snort[4673]: 8xx: 0
    2018:08:29-11:20:10 utm snort[4673]: 9xx: 0
    2018:08:29-11:20:10 utm snort[4673]: Ignore sessions: 0
    2018:08:29-11:20:10 utm snort[4673]: Ignore channels: 0
    2018:08:29-11:20:10 utm snort[4673]: ===============================================================================
    2018:08:29-11:20:11 utm snort[4673]: Snort exiting
     
     
    I then reenabled IPS But left UDP\ICMP Flooding disabled > Started Live Log > began a new meeting. This is all that appeared:
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SDF Version 1.1 <Build 1>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_DNS Version 1.1 <Build 4>
    2018:08:29-11:25:47 utm snort[20788]: Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
    2018:08:29-11:25:47 utm snort[20788]: Commencing packet processing (pid=20788)
    2018:08:29-11:25:47 utm snort[20788]: Decoding Raw IP4
     
     
    I then Enabled UDP\ICMP Flooding > Started a Live Log > began a new meeting. 
    The initial UDP Flood detected messages occured when the meeting was started
    The remainder of the logs started to appear (11:40:46) when the 2nd device joins the meeting and video\audio quality take the nose dive
     
     
     
    I hope that helps.
  • Instead of disabling outright, make an exception for UDP flooding for traffic from or to 162.255.7.121.

    What happens if the second station joins the meeting first - does it have issues even when alone?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The order in which I join the devices makes any difference.

     

    I created a UDP Flooding exception for that IP both as source and destination but still no luck.

    The logs show that the packets are going to multiple external servers

     

    I adjusted the Exception rule to the one below 

     Skip these checks: IPS & UDP Flood

    All requests Coming from these source networks: Internal (Network) + WAN (Address)

    AND

    Going to: Any

    I then created a second rule which is basically the inverse of the one above

    Skip these checks: IPS & UDP Flood

    All requests Coming from these source networks: Any

    AND

    Going to: Internal (Network) + WAN (Address)

     

    No more logs appeared in the Sophos but after connecting a second device to the meeting the packet loss jumped right back up to 90%+

  • "the packet loss jumped right back up to 90%+"

    What are you seeing in the packet capture?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • With the IPS Exceptions running I dont see anything in the Sophos IPS logs. My comment about the 90% packet loss is directed to Zoom's Settings and Statistics as seen below. 

     

  • What do you see if you do tcpdump on eth0?  And then on eth1?  Are packets lost inside your network or before they reach you?

    Did you learn anything from trying Sachin's suggestion?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Below is a screenshot of some of the tcpdump output. One thing that stood out to me was the amount of packets without a listed length, could this be part of the problem?

    I also ran an ifconfig before and after these tests, there was no jump in collisions or drops. There is only 1 collision shown by ifconfig which seems acceptable.

    I also ran a iftop command on both interfaces to monitor bandwidth usage during the video conference. The second last column on the right (avg bandwidth per 20 seconds) showed 600Kbp~ DL and 65Kb~ UL to and from Zoom servers. Upload is noticeably bad here.

     

    During all these tests I had the IPS Exceptions enabled