Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 9 subscribers
  • Views 5755 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cache Server Traffic

Howiedog

With regards to the Cache Server, the one that I had...is now gone. I had to do this to make sure it was indeed the Server that was creating an large amount of traffic.

It appears it was the cause as my traffic is back to normal. (my normal)

Scenario: It seems that each Endpoint when it attempts to contact the Cache Srvr, broadcasts to 192.168.2.0 specifically. (ip for example only)

This is worse when its across a VPN.

Anyone have any ideas why its going to like the Root Subnet IP??



This thread was automatically locked due to age.
Parents
  • 0

    Hello Howiedog,

    the Server that was creating an large amount of traffic
    you mean its presence was causing traffic from the endpoints, not that the traffic originated from the server?

    broadcasts to 192.168.2.0
    what kind of broadcasts?     The Caches Frequently Asked Questions article states in the firewall section that the cache role uses TCP port 8191, and TCP is unicast. So I'm not sure what traffic you've actually observed.

    Christian

  • 0 in reply to QC

    Ok..sorry..my bad. I may have jumped to thinking it was the Cache Server, but nope.

    These are coming from each client. I know this because there is no Cache Server anymore. So that takes that out of the picture as I deleted it.

     

    As we can see, each client try's to hit the "Network" IP.

    The "Policy" in use here is to ALLOW the the various addresses required for Sophos Updates, of which there are Six.

    *.sophos.com

    *.sophosupd.com

    *.sophosupd.net

    *.sophosxl.net

    crl.globalsign.com

    ocsp2.globalsign.com

     

     

    Why is this??

  • 0 in reply to Howiedog

    Hello Howiedog,

    now I don't know the meaning of some of these columns, some are obvious. Guess they're from the 3rd: src-ip dest-ip protocol src-port dest-port but the following are mostly obscure. Indeed if this is a /24 network dest-ip is the all-zeros network address.
    Anyway, neither Endpoint nor MCS use predefined or cached addresses, only names which are resolved at the time of the request OR the proxy if one is defined (theoretically a proxy configuration script could set or DNS could return the network address as proxy address and the router would then take care of the traffic). Do the endpoints update?

    Christian 

Reply
  • 0 in reply to Howiedog

    Hello Howiedog,

    now I don't know the meaning of some of these columns, some are obvious. Guess they're from the 3rd: src-ip dest-ip protocol src-port dest-port but the following are mostly obscure. Indeed if this is a /24 network dest-ip is the all-zeros network address.
    Anyway, neither Endpoint nor MCS use predefined or cached addresses, only names which are resolved at the time of the request OR the proxy if one is defined (theoretically a proxy configuration script could set or DNS could return the network address as proxy address and the router would then take care of the traffic). Do the endpoints update?

    Christian 

Children
No Data
Unfiltered HTML