[9.191][BUG] Logfiles growing 7 Gig in 30 minutes

Hi, running Firmware version: 9.191-2 my log disk space of 7.5 Gig got filled up within 30 minutes....

I imported my config from current UTM 9 version and imported it to beta 9.2.

Fallback.log is about 180 MB and shows mostly
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
2013:12:26-00:44:45 xyz [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found
and so on.
What is PFILTER? No idea where to check my config.

Firewall log is 6.6 Gig. I could not even view or download it...
So I had to delete the file. As you can see on enclosed screenshot, it only took about 30 minutes to fill up the log....
Don't ask me, what I did at that time. I was playing around with user portal and running an update on linux mint 14.

After deleting, firewall log shows normal growth.

SSL-VPN shows some Auth Failed while having established my user portal session.
Using Google OTP Token. Reconnects are quite frequent....

2013:12:26-20:17:16 somewhere34 openvpn[9364]: xx.yy.236.173:57892 SENT CONTROL [REF_AaaUse2]: 'AUTH_FAILED' (status=1)
2013:12:26-20:17:16 somewhere34 openvpn[9364]: xx.yy.236.173:57892 Connection reset, restarting [0]
2013:12:26-20:17:16 somewhere34 openvpn[9364]: xx.yy.236.173:57892 SIGUSR1[soft,connection-reset] received, client-instance restarting
2013:12:26-20:17:26 somewhere34 openvpn[9364]: TCP connection established with [AF_INET]xx.yy.236.173:57893 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:17:27 somewhere34 openvpn[9364]: xx.yy.236.173:57893 TLS: Initial packet from [AF_INET]xx.yy.236.173:57893 (via [AF_INET]88.64.135.99:443), sid=4083ea1d 8e434824
2013:12:26-20:17:28 somewhere34 openvpn[9364]: xx.yy.236.173:57893 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:28 somewhere34 openvpn[9364]: xx.yy.236.173:57893 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:28 somewhere34 openvpn[9364]: xx.yy.236.173:57893 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:28 somewhere34 openvpn[9364]: xx.yy.236.173:57893 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 TLS: Username/Password authentication deferred for username 'REF_AaaUse2' [CN SET]
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2013:12:26-20:17:29 somewhere34 openvpn[9364]: xx.yy.236.173:57893 [REF_AaaUse2] Peer Connection Initiated with [AF_INET]xx.yy.236.173:57893 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:17:31 somewhere34 openvpn[9364]: xx.yy.236.173:57893 PUSH: Received control message: 'PUSH_REQUEST'
2013:12:26-20:17:31 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Delayed exit in 5 seconds
2013:12:26-20:17:31 somewhere34 openvpn[9364]: xx.yy.236.173:57893 SENT CONTROL [REF_AaaUse2]: 'AUTH_FAILED' (status=1)
2013:12:26-20:17:31 somewhere34 openvpn[9364]: xx.yy.236.173:57893 Connection reset, restarting [0]
2013:12:26-20:17:31 somewhere34 openvpn[9364]: xx.yy.236.173:57893 SIGUSR1[soft,connection-reset] received, client-instance restarting
2013:12:26-20:17:41 somewhere34 openvpn[9364]: TCP connection established with [AF_INET]xx.yy.236.173:57894 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:17:42 somewhere34 openvpn[9364]: xx.yy.236.173:57894 TLS: Initial packet from [AF_INET]xx.yy.236.173:57894 (via [AF_INET]88.64.135.99:443), sid=f656096f d58bcce6
2013:12:26-20:17:43 somewhere34 openvpn[9364]: xx.yy.236.173:57894 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:43 somewhere34 openvpn[9364]: xx.yy.236.173:57894 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:43 somewhere34 openvpn[9364]: xx.yy.236.173:57894 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:43 somewhere34 openvpn[9364]: xx.yy.236.173:57894 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 TLS: Username/Password authentication deferred for username 'REF_AaaUse2' [CN SET]
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2013:12:26-20:17:44 somewhere34 openvpn[9364]: xx.yy.236.173:57894 [REF_AaaUse2] Peer Connection Initiated with [AF_INET]xx.yy.236.173:57894 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:17:46 somewhere34 openvpn[9364]: xx.yy.236.173:57894 PUSH: Received control message: 'PUSH_REQUEST'
2013:12:26-20:17:46 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Delayed exit in 5 seconds
2013:12:26-20:17:46 somewhere34 openvpn[9364]: xx.yy.236.173:57894 SENT CONTROL [REF_AaaUse2]: 'AUTH_FAILED' (status=1)
2013:12:26-20:17:46 somewhere34 openvpn[9364]: xx.yy.236.173:57894 Connection reset, restarting [0]
2013:12:26-20:17:46 somewhere34 openvpn[9364]: xx.yy.236.173:57894 SIGUSR1[soft,connection-reset] received, client-instance restarting
2013:12:26-20:17:56 somewhere34 openvpn[9364]: TCP connection established with [AF_INET]xx.yy.236.173:57895 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:17:57 somewhere34 openvpn[9364]: xx.yy.236.173:57895 TLS: Initial packet from [AF_INET]xx.yy.236.173:57895 (via [AF_INET]88.64.135.99:443), sid=e3527067 9e27b69e
2013:12:26-20:17:58 somewhere34 openvpn[9364]: xx.yy.236.173:57895 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:58 somewhere34 openvpn[9364]: xx.yy.236.173:57895 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:58 somewhere34 openvpn[9364]: xx.yy.236.173:57895 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:17:58 somewhere34 openvpn[9364]: xx.yy.236.173:57895 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 TLS: Username/Password authentication deferred for username 'REF_AaaUse2' [CN SET]
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2013:12:26-20:17:59 somewhere34 openvpn[9364]: xx.yy.236.173:57895 [REF_AaaUse2] Peer Connection Initiated with [AF_INET]xx.yy.236.173:57895 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:18:01 somewhere34 openvpn[9364]: xx.yy.236.173:57895 PUSH: Received control message: 'PUSH_REQUEST'
2013:12:26-20:18:01 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Delayed exit in 5 seconds
2013:12:26-20:18:01 somewhere34 openvpn[9364]: xx.yy.236.173:57895 SENT CONTROL [REF_AaaUse2]: 'AUTH_FAILED' (status=1)
2013:12:26-20:18:01 somewhere34 openvpn[9364]: xx.yy.236.173:57895 Connection reset, restarting [0]
2013:12:26-20:18:01 somewhere34 openvpn[9364]: xx.yy.236.173:57895 SIGUSR1[soft,connection-reset] received, client-instance restarting
2013:12:26-20:18:11 somewhere34 openvpn[9364]: TCP connection established with [AF_INET]xx.yy.236.173:57904 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:18:12 somewhere34 openvpn[9364]: xx.yy.236.173:57904 TLS: Initial packet from [AF_INET]xx.yy.236.173:57904 (via [AF_INET]88.64.135.99:443), sid=421c36c3 59d5bda4
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 VERIFY OK: depth=1, C=de, L=jm, O=jm, CN=jm VPN CA, emailAddress=jm@somedomain.de
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 VERIFY OK: depth=0, C=de, L=jm, O=jm, CN=REF_SslSerJmtwFaken2
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 TLS: Username/Password authentication deferred for username 'REF_AaaUse2' [CN SET]
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Data Channel Encrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Data Channel Decrypt: Using 128 bit message hash 'MD5' for HMAC authentication
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2013:12:26-20:18:14 somewhere34 openvpn[9364]: xx.yy.236.173:57904 [REF_AaaUse2] Peer Connection Initiated with [AF_INET]xx.yy.236.173:57904 (via [AF_INET]88.64.135.99:443)
2013:12:26-20:18:17 somewhere34 openvpn[9364]: xx.yy.236.173:57904 PUSH: Received control message: 'PUSH_REQUEST'
2013:12:26-20:18:17 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Delayed exit in 5 seconds
2013:12:26-20:18:17 somewhere34 openvpn[9364]: xx.yy.236.173:57904 SENT CONTROL [REF_AaaUse2]: 'AUTH_FAILED' (status=1)
2013:12:26-20:18:17 somewhere34 openvpn[9364]: xx.yy.236.173:57904 Connection reset, restarting [0]
2013:12:26-20:18:17 somewhere34 openvpn[9364]: xx.yy.236.173:57904 SIGUSR1[soft,connection-reset] received, client-instance restarting

0 scorpionking over 11 years ago
Has anyone managed to get a workaround for this?
It happens almost every night in the last days filling my log partition (~15GB) up to 100%.

The packetfilter.log is then using several GB diskspace. Emptying this log file turns my UTM back to normal operation with log partition filled ~15%.

I have the same packet filter log lines like juergen852 mentioned, but with "74.125.104.48" as source IP (seems to belong to Google). The destination is a Android Phone in my local network.
----------
Sophos user, admin and reseller.
Private Setup:

XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)

UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

Thanks for reporting. We are now tracking this as Mantis ID #30281
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #30281 is now under investigation.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 scorpionking over 11 years ago

Just had the luck to watch this live:

The packetfilter.log is growing over 10.000 lines per second!
Filtered for 192.168.xx.yy:

2014:01:26-12:45:01 vpn ulogd[19295]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="12" initf="eth0" outitf="eth1" srcmac="aa:bb:cc[:D]d:ee:ff" dstmac="90:e2:ba:15:ac:58" srcip="192.168.xx.yy" dstip="54.195.243.60" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="38822" dstport="5223" tcpflags="SYN" 

2014:01:26-13:12:00 vpn ulogd[19295]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="12" initf="eth0" outitf="eth1" srcmac="aa:bb:cc[:D]d:ee:ff" dstmac="90:e2:ba:15:ac:58" srcip="192.168.xx.yy" dstip="54.195.243.60" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="50346" dstport="5223" tcpflags="SYN" 

2014:01:26-13:24:36 vpn ulogd[19295]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1330" app="816" srcmac="90:e2:ba:15:ac:58" srcip="74.125.104.48" dstip="192.168.xx.yy" proto="6" length="541" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="55383" tcpflags="ACK PSH" 

2014:01:26-13:24:36 vpn ulogd[19295]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" mark="0x1330" app="816" srcmac="90:e2:ba:15:ac:58" srcip="74.125.104.48" dstip="192.168.xx.yy" proto="6" length="2948" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="55383" tcpflags="ACK"

The last line then repeats over 10.000 times per second (logfile grew 1GB in ~10 minutes).

The httpd.log (filtered for 192.168.xx.yy):

2014:01:26-12:44:50 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::8a" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbffc028" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="480" cattime="56783" avscantime="0" fullreqtime="114327" device="0" auth="0" application="google" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-12:44:51 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::8a" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbffc028" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="0" cattime="189" avscantime="0" fullreqtime="29540" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-12:44:51 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::8a" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xbffc028" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="0" cattime="165" avscantime="0" fullreqtime="28463" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-12:44:59 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="173.194.70.101" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x16280870" url="173.194.70.101/generate_204" exceptions="" error="" authtime="0" dnstime="64" cattime="56729" avscantime="0" fullreqtime="112497" device="0" auth="0" application="http" category="178" reputation="unverified" categoryname="Internet Services"

2014:01:26-13:03:51 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="173.194.113.49" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4979" request="0x17af68a0" url="173.194.113.49" exceptions="" error="" authtime="0" dnstime="2" cattime="55990" avscantime="0" fullreqtime="240351052" device="0" auth="0" application="" category="9998" reputation="unverified" categoryname="Uncategorized"

2014:01:26-13:10:51 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="31.13.64.81" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6729" request="0x23186660" url="31.13.64.81" exceptions="" error="" authtime="0" dnstime="2" cattime="56792" avscantime="0" fullreqtime="3864489" device="0" auth="0" application="" category="178" reputation="neutral" categoryname="Internet Services"

2014:01:26-13:10:52 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="31.13.64.81" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="10505" request="0x905a018" url="31.13.64.81" exceptions="" error="" authtime="0" dnstime="1" cattime="183" avscantime="0" fullreqtime="2782822" device="0" auth="0" application="" category="178" reputation="neutral" categoryname="Internet Services"

2014:01:26-13:11:37 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="184.173.179.38" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4148" request="0x177b5da8" url="184.173.179.38" exceptions="" error="" authtime="0" dnstime="2" cattime="55974" avscantime="0" fullreqtime="1591562625" device="0" auth="0" application="" category="178" reputation="neutral" categoryname="Internet Services"

2014:01:26-13:11:43 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="173.252.79.23" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6946" request="0x905a230" url="173.252.79.23" exceptions="" error="" authtime="0" dnstime="2" cattime="56563" avscantime="0" fullreqtime="1612626385" device="0" auth="0" application="" category="178" reputation="neutral" categoryname="Internet Services"

2014:01:26-13:12:04 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::64" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x17af7748" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="487" cattime="56382" avscantime="0" fullreqtime="113794" device="0" auth="0" application="google" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-13:12:04 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="173.194.70.139" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x1676c680" url="173.194.70.139/generate_204" exceptions="" error="" authtime="0" dnstime="62" cattime="60549" avscantime="0" fullreqtime="118178" device="0" auth="0" application="http" category="178" reputation="unverified" categoryname="Internet Services"

2014:01:26-13:12:04 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::64" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x17af7748" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="0" cattime="229" avscantime="0" fullreqtime="27951" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-13:12:04 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="2a00:1450:4001:c02::64" user="" statuscode="204" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x17af7748" url="clients3.google.com/generate_204" exceptions="cache" error="" authtime="0" dnstime="0" cattime="241" avscantime="0" fullreqtime="28529" device="0" auth="0" category="178" reputation="trusted" categoryname="Internet Services"

2014:01:26-13:22:22 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="173.194.70.101" user="" statuscode="302" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="562" request="0x16630f20" url="android.clients.google.com/.../Download

2014:01:26-13:24:18 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.xx.yy" dstip="173.194.70.101" user="" statuscode="302" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="562" request="0x23186230" url="android.clients.google.com/.../Download

2014:01:26-13:26:22 vpn httpproxy[5340]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.xx.yy" dstip="173.194.70.138" user="" statuscode="200" cached="0" profile="REF_HttProInternaltr (Internal_Transparent)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="70141" request="0x16799da0" url="173.194.70.138" exceptions="" error="" authtime="0" dnstime="2" cattime="56141" avscantime="0" fullreqtime="241109283" device="0" auth="0" application="" category="178" reputation="neutral" categoryname="Internet Services"

The fallback.log is full of (about 400 lines per second):

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

2014:01:26-13:24:36 vpn [daemon:info] pfilter-reporter.pl:  INFO - found match: violation found

The IPS log doesn't show anything around this time.

192.168.xx.yy is a Android phone in my internal network (android 4.2).

Had to restart the UTM to stop this. A restart of httpproxy didn't help...

----------
Sophos user, admin and reseller.
Private Setup:

XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)

0 Astaro Beta Bot over 11 years ago

We are planning to release a fix for this issue in Version 9.200.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #30281 is now being worked on.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #30281 is now fixed. We are planning to release a fix for this issue in Version 9.195.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Astaro Beta Bot over 11 years ago

The Mantis ID #30281 is now closed.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel