Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 1733 views
  • Users 0 members are here
Options
Suggested

[8.281][BUG][FIXED] L2TP over IPsec seen as UDP flood

BAlfson
The log is full of these beginning with the installation of 8.270.  It's not now even though I'm connected. 
2011:11:19-13:36:46 post ulogd[5037]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="0:14:f1:e5:A:B" dstmac="0:8:2:a4:X:Y" srcip="{Home IP}" dstip="{Astaro IP}" proto="17" length="80" tos="0x00" prec="0x00" ttl="123" srcport="1701" dstport="1701"


Cheers - Bob
  • 0 
    Astaro Beta Report
    --------------------------------
    Version: 8.281
    Type: BUG
    State: RESOLVED/FIXED
    Reporter: BAlfson
    Contributor: 
    MantisID: 19703
    Target version: 8.309
    Fixed in version: 
    --------------------------------

  • 0
    The log is full of these beginning with the installation of 8.270.  It's not now even though I'm connected. 
    2011:11:19-13:36:46 post ulogd[5037]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="0:14:f1:e5:A:B" dstmac="0:8:2:a4:X:Y" srcip="{Home IP}" dstip="{Astaro IP}" proto="17" length="80" tos="0x00" prec="0x00" ttl="123" srcport="1701" dstport="1701"



    I am a bit confused. Are you sure this didn't happen in previous releases?
    AFAIK there have been no changes to flood protection.
  • 0
    Unfortunately, I used the same drive for V8.270 as I had for 8.202 - the first version of V8 that I ran locally.  I do still have a V7.511 drive from last month that I can look at, but this behavior is new.

    I wonder if there wasn't a pattern update that caused this temporarily?  In any case, Remote Access is blocked again, and I'm headed to to office in a few minutes to see if it's this problem or the other one I've reported.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    This occured again later on the 19th for two minutes.  My inability to connect Sunday and this morning was related to the snort restart which I've documented in another thread.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I tested a L2TP over IPsec with PSK on an Android 2.2 to an asg with version 8.285. The connection was stable (tested for 25 minutes) and there weren't drops from the flood protection.

    Regards,
    Marco
  • 0
    Marco, do you see any UDP Flood entries in your Intrusion Prevention System logs over the last few days?  I leave my laptop connected at home even when I'm at the office.  That lets me RDP to it and print stuff on my home printer.  I notice the lines in the log at random times every day.  Usually just a minute or two.  It isn't anything that causes noticible disruption.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML