We have a site-to-site VPN via IPSec between an SG210 (600/40MBit) and an SG105 (70/25MBit) (both 9.705-3).
If I enable IPS UDP Flood Protection (SMB-)traffic through the tunnel drops to about 270 kB/s, if disable it's about good 3,5 / 2 MB/s, depending on direction.I created an exception for the local networks and services IPSec, but that does not change anything.
The log does not show anything about UDP flood events. Any idea how to keep performance while having enabled the UDP flood protection?
"Limited" logging doesn't prevent logging issues, it just limits the number of times the issue is logged. If you're seeing Anti UDP Flooding lines, show us several of them.…
Thank you for reaching out to the Community!
If all of the source and destination networks are trusted, remove the service IPsec, add any and see if that helps.
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
thanks for suggesting.
Sadly no change:
Could you please change the condition from "And" to "Or" and see if that helps?
Did you check logs on UTM to see if there are any packet drops?
Hallo and welcome to the UTM Community!
I would delete your Exception and start over. What do you then see in the Intrusion Prevention log on both sides related to the IPs involved in the copying?
Cheers - Bob
I tried, but the UTM does not allow the combination of "or" with "any service". Additionally I would not like to use "or" for a whole network, since I think it would disable IPS for any source.
The Firewall log does not show anything about IPS and/or UDP. Even the statistics show zero hits:
Hi Bob, thanks for the welcome.
Sadly the logs do not show anything I could relate, as shown in the statistic I posted in reply to H_Patel.
I changed the setting to "Log everything", but still nothing about IPS.
I deleted the exception. Any suggestion how such exception should look like?
"Limited" logging doesn't prevent logging issues, it just limits the number of times the issue is logged. If you're seeing Anti UDP Flooding lines, show us several of them.
If you see nothing related in the IPS log, then we would have to guess which IPS Exception might help. Best guess would be a 'UDP Flood Protection' Exception for traffic "Coming from" the public IPs of the two UTMs and "Going to" those two IPs. I've not seen a UDP flooding issue like this where the endpoints of the VPN are the UTMs - only ones where one of the VPN endpoints was behind a UTM.
Ok, riddle solved.First part: I opened the log while on the "Anti-DOS/Flooding"-Tab. But that leads to the usual firewall live-log (same for the Anti-Portscan TAB). Therefore I thought there was no special IPS log. Any other Tab opens the IPS log which pinpointed to the external IP adresses (one is nated).
Second part: I build a rule with the external IP-adresses and the exception works fine.