Excessive Up2Date Traffic

Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged  Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.

There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.

I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?

Thanks as always for suggestions,

Paul

Top Replies

Parents
  • Hi anybody!

    After 8 hours of testing with the ssse3 enabled cpu, the update only need 0,7 GB traffic in this 8 hours.
    For me the traffic-problem is solved!

    regards Peter

  • Yes, I just got an email from Sophos support confirming this to be our issue. Makes sense as our UTM is running on an old 2002 HP Server box. It spent 10 years as a server, and nearly another 10 as a firewall.

    support.sophos.com/.../KB-000042345

    Guess we'll have to move it to something newer...

    Thank you everyone for your contributions,

    Paul

  • Can confirm this appears to be the issue.

    Having the UTM run on a HP Proliant Microserver with an N54L CPU that doesn't support SSSE3 extensions is the problem...although it would have been nice to have a workaround other than turning updates to manual. 

    I also checked on a PC with a newer CPU and yes, the issue is not seen...

Reply
  • Can confirm this appears to be the issue.

    Having the UTM run on a HP Proliant Microserver with an N54L CPU that doesn't support SSSE3 extensions is the problem...although it would have been nice to have a workaround other than turning updates to manual. 

    I also checked on a PC with a newer CPU and yes, the issue is not seen...

Children
No Data