Video conference performance drops

Hi and welcome to the UTM Community!

You'll want to be aware of Rulz, especially #1 because we still need to know what's in the IPS log when two devices are on Zoom.

Also, you didn't say what device UTM is running on or what version you're using - 9.506?

Cheers - Bob

We are running 9.509-3 Below is a screenshot of a portion of the IPS Live Log while the video conference is happening. Eth0 is LAN & Eth1 is WAN

Thanks!

The order in which I join the devices makes any difference.

I created a UDP Flooding exception for that IP both as source and destination but still no luck.

The logs show that the packets are going to multiple external servers

I adjusted the Exception rule to the one below 

 Skip these checks: IPS & UDP Flood

All requests Coming from these source networks: Internal (Network) + WAN (Address)

AND

Going to: Any

I then created a second rule which is basically the inverse of the one above

Skip these checks: IPS & UDP Flood

All requests Coming from these source networks: Any

AND

Going to: Internal (Network) + WAN (Address)

No more logs appeared in the Sophos but after connecting a second device to the meeting the packet loss jumped right back up to 90%+

"the packet loss jumped right back up to 90%+"

What are you seeing in the packet capture?

Cheers - Bob

With the IPS Exceptions running I dont see anything in the Sophos IPS logs. My comment about the 90% packet loss is directed to Zoom's Settings and Statistics as seen below. 

What do you see if you do tcpdump on eth0?  And then on eth1?  Are packets lost inside your network or before they reach you?

Did you learn anything from trying Sachin's suggestion?

Cheers - Bob

Below is a screenshot of some of the tcpdump output. One thing that stood out to me was the amount of packets without a listed length, could this be part of the problem?

I also ran an ifconfig before and after these tests, there was no jump in collisions or drops. There is only 1 collision shown by ifconfig which seems acceptable.

I also ran a iftop command on both interfaces to monitor bandwidth usage during the video conference. The second last column on the right (avg bandwidth per 20 seconds) showed 600Kbp~ DL and 65Kb~ UL to and from Zoom servers. Upload is noticeably bad here.

During all these tests I had the IPS Exceptions enabled

The usual approach is to put things in the /home directory unless they're large.  In this case, you could test with a 100MB file and then delete it from /home when you're done.

Strange that there are those zero-length packets without ports.  What do folks in the Zoom online community say about your packet capture?

Cheers - Bob

I haven't engaged Zoom support but certainly can reach out to them.

I also just downloaded a 120Mb file to the Sophos which downloaded at 7.68M/s (15 Seconds)
I feel like I should be seeing faster downloads speeds.  I checked the Sophos Web Admin to see how much activity there was at the time of downloading the file, we were using less than 2Mbps. Speed tests show I can get up to 50Mbps+ DL.

You said your connection is 65 Mbps - 7.68 MB/s is faster than that...

Cheers - Bob

Ah ok, I wasnt sure if the M stood for Megabits or Megabytes. Either way ill check in with Zoom support

So ive talked with Zoom support and they dont see any issues on their end. During my testing with them I put one of the 3 computers onto a completely separate network and WAN connection, the issue still occurred. Zoom recommended I contact our ISP but I dont think thats really the problem as we arnt pinning our available download bandwidth. I dont expect that they would be throttling Zoom and certainly not UDP traffic. Ill start running some WireShark captures to see if I can notice any other oddities.

So ive talked with Zoom support and they dont see any issues on their end. During my testing with them I put one of the 3 computers onto a completely separate network and WAN connection, the issue still occurred. Zoom recommended I contact our ISP but I dont think thats really the problem as we arnt pinning our available download bandwidth. I dont expect that they would be throttling Zoom and certainly not UDP traffic. Ill start running some WireShark captures to see if I can notice any other oddities.