Excessive Up2Date Traffic

Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged  Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.

There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.

I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?

Thanks as always for suggestions,

Paul

  • What happens if you follow Sophos UTM: Resolve WebAdmin CA cert not trusted by Chrome - does that give you the security you want in SMTP with the WebAdmin cert?

    You may have the latest Pattern your system needs.  What do you see with the following command?

         grep 'action="download"' /var/log/up2date.log|more

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Having the same issue, very high usage on the Up2Date. This all appears to have started when I updated the UTMs to 9.705-3. Prior to that the usage was low. I receive daily reports from the UTMs and one of them had typical traffic of around 8-10GB a day, after this version was installed it rocketed to around 135-145GB a day!

    I had the FW settings to check Daily and Patterns every 15 minutes. I've since changed that to hourly but need to see what the outcome is.

    Whilst I've noticed no impact on performance and have unlimited data, this clearly isn't ideal...

  • Sorry to hear this. Not sure of the exact timing here vis-a-vis the 9.705-3 update, but that seems about right.

    I had thought it had something to do with a certificate I uploaded to the UTM, but I no longer think so.

    Here, only Manual Pattern Updates relieves the problem, but that's also not great as I have to remember to periodically click update.

  • The cert issue is a red herring, or at least not straightforward. Manual updates now work correctly regardless of which cert is selected for SMTP TLS. Perhaps this is due to a reboot last night. The big traffic spikes still occur whenever the pattern update is set to automatic.

    In the meantime, I have no problem keeping the patterns up to date using manual updating -- it's just laborious, as they seem to come out with new ones every hour or so.

  • Here the 9.705 update occurred at 6AM on June 2nd, and the excessive traffic started at 10AM on June 12th, so there's no clear relationship. There was also an update to 9.706 on June 14th, which did not change the issue. Thus there doesn't seem to be a connection (here, at least).

  • Hello, I decided to double check all my reports and it all started [for me] on the 16th June, this was the day I upgraded to 9.706-9, apologies, the first post said 9.705-3 which was the version I upgraded from!

    I do note that on one of my UTM's I only updated to 9.705-7 first, this one had NO additional traffic generated during the same time period, however once I updated to 9.706-9, that too increased in traffic usage. So to me this does seem like a glitch with release...

  • I went back to check my Up2Date as well, and while it hasn't been as obvious as the original poster, I did see that my Up2Date traffic was exponentially increased by month.  From 2.7 GB in a month (may) to over 11GB the next 30 days (June).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • I reduced the update rate to hourly instead of every 15 minutes yet the traffic levels did not drop...last nights results:

    UTM1: 151GB (114.5GB U2D)

    UTM3: 135GB (130.1GB U2D)

    I've now set both to manual on the two settings and rebooted them...will monitor.

  • I am having the same issue. It started immediately after updating to  9.706-9. It downloads over 150GB of updates per day and make my internet unusable. Setting pattern updates to manual stops this but that is not a valid solution. Interestingly when set to manual update and the patterns are up to date it still gives you the option to download and install the same version. 

    This makes me think the automatic update is just downloading the same patterns over and over again.

    The added bonus is that since the update to 9.706-9 not a single email has been detected as spam.

    This has to be the most fubar release Sophos has ever let loose, and I have been using UTM since the early days of Astaro.

    Simon

  • UTM Up2Date 9.707 Released. The notes don't address this issue, but I wonder if a new Up2Date would tickle this issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA