This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN, telephony and other services no longer working

Hello,

Following a reboot of our servers, we are no longer able to access several internal and external services (VPN, telephony, User portal)

I am neither a network expert nor an advanced user of Sophos solutions, but I will gladly provide you with more information if needed.

We have been using Sophos UTM 9 for several years without any problems. However, all of a sudden, here is what I see and can already pass on as information:

  • The User Portal site is no longer accessible externally, but is accessible from the internal network
  • The VPN connection does not work externally anymore, but works from the internal network
  • We can receive calls, but we can't hear the caller and he can't hear us.
  • We have access to the Internet from the internal network, but we can no longer connect or configure certain applications (impossible to connect to the telephony application / impossible to configure certain services, for example, the configuration of an email service on certain workstations, whereas when connected to another network it works).
  • No modification of the firewall has been done in the last months. We are updating it, but the configuration has remained the same.

I have tried to restart Sophos UTM several times with no results. The first few minutes everything works normally, then the telephony does not work anymore and the User Portal is inaccessible again. In the past, we have used the infrastructure several times without any problems.

All these problems are very sudden. I am aware that it is difficult for you to help me with this information, but I will gladly provide you with additional information if needed.

I think the reasons could be many things but I can't find any particular error in the UTM logs to help me correct the situation. If you have an idea of a problem that could make us suddenly face these issues I would be very grateful.

At your disposal,
Thanks in advance

FYI > VPN Client log :



This thread was automatically locked due to age.
Parents
  • We have access to the Internet from the internal network, but we can no longer connect or configure certain applications (impossible to connect to the telephony application / impossible to configure certain services, for example, the configuration of an email service on certain workstations, whereas when connected to another network it works).

    Are these services all internally hosted, or externally? Are they accessed via WAF?

    Did you check your Firewall log to see if anything is being denied?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Service are all hosted externally and I guess it goes through the firewall.

    From web admin, I can find many log files, but the firewall log file seems to log the transient data (~2Go). By denied access log file, do you mean the IPS logs file ?

    The IPS is logging some info log with flood datas, example below :

    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos


    Thanks for your help

Reply
  • Service are all hosted externally and I guess it goes through the firewall.

    From web admin, I can find many log files, but the firewall log file seems to log the transient data (~2Go). By denied access log file, do you mean the IPS logs file ?

    The IPS is logging some info log with flood datas, example below :

    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos="0x08" prec="0x20" ttl="247" srcport="443" dstport="54682"
    2023:03:15-13:26:34 vpn ulogd[4948]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="10:5a:f7:4e:02:23" dstmac="00:0c:29:b1:1c:33" srcip="108.138.189.123" dstip="[DMZ PUBLIC IP]" proto="17" length="1480" tos


    Thanks for your help

Children
  • I'm assuming you have UDP flood protection enabled if you are seeing this.  You can temporarily uncheck that box if you wish and try accessing your portal and sites.  That 108.xxx address, what address is that?  I tried to access it from here and it's giving 403 error.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)