Thread Info
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 14305 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Availability Group causes hundredthousands "echo requests a day"

seroal

Hi,

a recently installed sophos utm (sw:9.355) generated about 400k of echo requests a day. In the availability group, I set the setting to query udp/53 for dns server verification. But it also makes pings, even I didn´t configure it. Now the provider asks, why our devices are generating such big amounts of pings....

Is it normal, that the availability group always creates icmp requests, additional to that setting, I made? Its strange, because it is the first time, I got an information about that. But in this case the dns servers aren´t replying to icmp requests.

If yes, is the only possibility to create a firewall rule to block that or what can I do?

Best Regards,

Sebastian



This thread was automatically locked due to age.
Parents

  • Sebastian, how do you know this is happening?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    I made a tcpdump and captured the echo requests going to the hosts within the Availability Group for the dns servers. Then I removed the two dns servers, where the administrators saw this icmp echo requests and in that moment the tcpdump stopped to output icmp requests to this servers. So Im sure, that it is this Availabilitys Group. Currently, there is only the google dns server left in the group. And the utm generates icmp requests to 8.8.8.8 all the time.....  I only configured to test udp/53.

    Take a look at the capture:

    And take a look in the raw-data, its pretty obvious, what device generates the requests.

    The udp requests are also generated, as they are configured... Every 15 seconds...

    And this are the settings:

    Greetings,

    Sebastian

  • in reply to seroal

    Hi Sebastian,

    I don't see a source IP address in the pcap screenshot. I also checked this on our test UTM and I cannot discover any ICMP requests generated via UTM itself.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to seroal

    Interesting, Sebastian ... what happens if you add a Host for 8.8.4.4 in the Availability Group?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    Hi Bob,

    as expected, the host 8.8.4.4 is also beeing queried.... I think icmp requests are always done, independed from the settings for the availability group. Should be easy for sophos to say, if it´s per design....

Reply Children
No Data
Unfiltered HTML