Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 1707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Microsoft System Center Essentials 2010

awsag
Hi there

We are using a Sophos UTM 220 and have some problems with the WAN traffic always showing max since 2 weeks. I have isolated the problematic server and it's the server which only has the Microsoft System Center Essentials 2010 installed for delivering updates to our clients. It has to do with the problems like the adobe updates have without the enabled default exception it seems. We have the default exception for microsoft updates enabled though...

Somehow there is still an update looping endlessly between the WAN interface and the akamai servers. There is no internal traffic logged!

The System center essentials server is working properly though. He is downloading new updates and delivering them successfully. I tried to disable the windows services for "System Center Essentials" and "Windows Update" but to no avail. Only when i shut down the server the WAN traffic will reduce to normal after like 5 minutes...

Anyone got an idea? [:)]


This thread was automatically locked due to age.
Parents
  • 0
    I did some further testing and the only thing caught in the webfilter protocol when the wan traffic starts to max out and never comes back are these 2 lines:

    2014:03:07-13:43:27 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:46:19 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="179580" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but that seems to be a normal update.

    i looked in the flow monitor to find the akamai server with the heaviest load and filtered the live protocol for this server:

    2014:03:07-13:48:34 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:46 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="67160" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:55 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcac9088" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:04 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="70404" request="0xd415838" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="40920" request="0xccfb968" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:32 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="49640" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but as said we have updates getting in successfully. really don't know where the problem lies here... with some updates he downloads them like 1000 times before he succeeds though...
Reply
  • 0
    I did some further testing and the only thing caught in the webfilter protocol when the wan traffic starts to max out and never comes back are these 2 lines:

    2014:03:07-13:43:27 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:46:19 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="179580" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but that seems to be a normal update.

    i looked in the flow monitor to find the akamai server with the heaviest load and filtered the live protocol for this server:

    2014:03:07-13:48:34 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:46 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="67160" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:55 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcac9088" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:04 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="70404" request="0xd415838" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="40920" request="0xccfb968" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:32 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="49640" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but as said we have updates getting in successfully. really don't know where the problem lies here... with some updates he downloads them like 1000 times before he succeeds though...
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?