IPSEC site-to-site perfomance spoiled by IPS (UDP Flood), exception not working

Hi folks!

We have a site-to-site VPN via IPSec between an SG210 (600/40MBit) and an SG105 (70/25MBit) (both 9.705-3).

If I enable IPS UDP Flood Protection (SMB-)traffic through the tunnel drops to about 270 kB/s, if disable it's about good 3,5 / 2 MB/s, depending on direction.
I created an exception for the local networks and services IPSec, but that does not change anything.

The log does not show anything about UDP flood events. Any idea how to keep performance while having enabled the UDP flood protection?

  • Hi ,

    Thank you for reaching out to the Community! 

    If all of the source and destination networks are trusted, remove the service IPsec, add any and see if that helps. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi,

    thanks for suggesting.

    Sadly no change:

  • Hi ,

    Could you please change the condition from "And" to "Or" and see if that helps? 

    Did you check logs on UTM to see if there are any packet drops? 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hallo and welcome to the UTM Community!

    I would delete your Exception and start over.  What do you then see in the Intrusion Prevention log on both sides related to the IPs involved in the copying?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    I tried, but the UTM does not allow the combination of "or" with "any service". Additionally I would not like to use "or" for a whole network, since I think it would disable IPS for any source.

    The Firewall log does not show anything about IPS and/or UDP. Even the statistics show zero hits:

    Stay healthy!

    Frank

  • Hi Bob, thanks for the welcome.

    Sadly the logs do not show anything I could relate, as shown in the statistic I posted in reply to H_Patel.

    I changed the setting to "Log everything", but still nothing about IPS.

    I deleted the exception. Any suggestion how such exception should look like?

    Thanks,

    Frank

  • Hallo Frank,

    "Limited" logging doesn't prevent logging issues, it just limits the number of times the issue is logged.  If you're seeing Anti UDP Flooding lines, show us several of them.

    If you see nothing related in the IPS log, then we would have to guess which IPS Exception might help.  Best guess would be a 'UDP Flood Protection' Exception for traffic "Coming from" the public IPs of the two UTMs and "Going to" those two IPs.  I've not seen a UDP flooding issue like this where the endpoints of the VPN are the UTMs - only ones where one of the VPN endpoints was behind a UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, riddle solved.
    First part: I opened the log while on the "Anti-DOS/Flooding"-Tab. But that leads to the usual firewall live-log (same for the Anti-Portscan TAB). Therefore I thought there was no special IPS log. Any other Tab opens the IPS log which pinpointed to the external IP adresses (one is nated).

    Second part: I build a rule with the external IP-adresses and the exception works fine.

    Thank you!