Excessive Up2Date Traffic

Recently (2-3 days) I've noticed regular periodic spikes of Up2Date traffic. Checking the flow monitor, I see a 5-6MB/s spike tagged  Sophos UTM Upd2Date every 25 seconds. The total (in Top Clients by Application) was 142GB just yesterday.

There's nothing unusual in the Up2Date log. Checks every 15 minutes with the occasional new pattern successfully installed. Nothing in the IPS log either except regular DNS Amplification Attacks every few minutes, but those have been happening for months.

I can't really see any way to debug this from within the firewall. Do I have to put a monitor on the outside interface and run a packet capture?

Thanks as always for suggestions,

Paul

  • Downloaded and installed 9.707 and turned pattern up2date back on.

    Clearly not fixed. As soon as I turn it off again the downloads stop. This is ridiculous. It is downloading new patterns every 30 seconds!
    After 20+ years using Astaro/UTM I am now looking at alternatives for a number of reasons.

  • Hi anybody!


    I have the same problem since the update from 9.705-3 to 9.706-8

    The traffic to Sophos is increasing and the Spamfilter isn't working good.

    Normaly i have about 40 GB on data in a week and know i have about 450 to 940 GB in one week!!!

    A few days ago i have updated to 9.707-5 but there is no change.
    If i chance the update (pattern and firmware) to manuel there is only the normal traffic.

    Is there an other solution?



    regards Peter

  • I think the problem is not the up2date-prozess itself, there is no problem to see in the log.
    But i see a problem in the smtp-log:

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes greylisting: Skipping greylisting for this message

    2021:07:08-02:26:29 mail exim-in[16946]: 2021-07-08 02:26:29 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: xxxx.xxxx profile excludes SANDBOX scan

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: spamd: failed to connect to any address for 127.0.0.1: Connection refused

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 spam acl condition: all spamd servers failed

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 H=mail2.tchibo.de [194.115.167.42]:3202 Warning: ACL "warn" statement skipped: condition test deferred

    2021:07:08-02:26:50 mail exim-in[16946]: 2021-07-08 02:26:50 1m1Hs5-0004PK-32 <= prvs=8161b01c6=service@eduscho.at H=mail2.tchibo.de [194.115.167.42]:3202 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=24119

    Is this problem also to see at your sophos?
    regards Peter

  • Clearly several of us have the same problem, but nothing coming down the pipeline seems to resolve it. It's now been three weeks and I've just checked again -- by switching back to Auto Pattern Updates -- and the issue is still the same.

    I see nothing unusual in our SMTP logs (or any other logs, for that matter), but we run only inbound SMTP traffic thru the UTM.

    As mentioned above, our traffic spikes are also coming from Akamai servers, but that's hardly unusual. I imagine that's how Sophos distributes their pattern updates.

    Paul

  • I don't even use SMTP (not even turned on) and the Up2Date patterns over the past two months has been much bigger than previous months for me.  I am not seeing what some of you are (10-100GB a day) but it is noticeable.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Has anyone got a solution from sophos for the update-traffic-problem?

    regards Peter

  • I have found this community-entry:

    Please take a look at this KB article.

    Email Catchrate issue on UTM 9.706 (sophos.com)

    The issue seems to be limited to devices running on old hardware or on KVM/QEMU environments that are configured to suppress advanced processor features.

    I have change my virtuel cpu to have ssse3 - maybe this is the solution.

    regards peter

  • Hi anybody!

    After 8 hours of testing with the ssse3 enabled cpu, the update only need 0,7 GB traffic in this 8 hours.
    For me the traffic-problem is solved!

    regards Peter

  • Yes, I just got an email from Sophos support confirming this to be our issue. Makes sense as our UTM is running on an old 2002 HP Server box. It spent 10 years as a server, and nearly another 10 as a firewall.

    support.sophos.com/.../KB-000042345

    Guess we'll have to move it to something newer...

    Thank you everyone for your contributions,

    Paul

  • Yes, I just got an email from Sophos support confirming this to be our issue. Makes sense as our UTM is running on an old 2002 HP Server box. It spent 10 years as a server, and nearly another 10 as a firewall.

    support.sophos.com/.../KB-000042345

    Guess we'll have to move it to something newer...

    Thank you everyone for your contributions,

    Paul