Excessive Up2Date Traffic

Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged  Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.

There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.

I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?

Thanks as always for suggestions,

Paul

Parents
  • Having the same issue, very high usage on the Up2Date. This all appears to have started when I updated the UTMs to 9.705-3. Prior to that the usage was low. I receive daily reports from the UTMs and one of them had typical traffic of around 8-10GB a day, after this version was installed it rocketed to around 135-145GB a day!

    I had the FW settings to check Daily and Patterns every 15 minutes. I've since changed that to hourly but need to see what the outcome is.

    Whilst I've noticed no impact on performance and have unlimited data, this clearly isn't ideal...

  • Sorry to hear this. Not sure of the exact timing here vis-a-vis the 9.705-3 update, but that seems about right.

    I had thought it had something to do with a certificate I uploaded to the UTM, but I no longer think so.

    Here, only Manual Pattern Updates relieves the problem, but that's also not great as I have to remember to periodically click update.

  • Here the 9.705 update occurred at 6AM on June 2nd, and the excessive traffic started at 10AM on June 12th, so there's no clear relationship. There was also an update to 9.706 on June 14th, which did not change the issue. Thus there doesn't seem to be a connection (here, at least).

Reply Children
  • Hello, I decided to double check all my reports and it all started [for me] on the 16th June, this was the day I upgraded to 9.706-9, apologies, the first post said 9.705-3 which was the version I upgraded from!

    I do note that on one of my UTM's I only updated to 9.705-7 first, this one had NO additional traffic generated during the same time period, however once I updated to 9.706-9, that too increased in traffic usage. So to me this does seem like a glitch with release...

  • I went back to check my Up2Date as well, and while it hasn't been as obvious as the original poster, I did see that my Up2Date traffic was exponentially increased by month.  From 2.7 GB in a month (may) to over 11GB the next 30 days (June).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I reduced the update rate to hourly instead of every 15 minutes yet the traffic levels did not drop...last nights results:

    UTM1: 151GB (114.5GB U2D)

    UTM3: 135GB (130.1GB U2D)

    I've now set both to manual on the two settings and rebooted them...will monitor.