I'm a home user and my WAN link on my UTM goes down then back up exactly every 10 minutes. If I connect my computer directly to my modem I have no problems. I don't see any patterns jumping out at me in my Firewall log in those 10 minute intervals but in my system log I do see something.
System Messages Log:
2014:08:20-00:00:01 SophosUTM syslog-ng[4610]: Configuration reload request received, reloading configuration;
2014:08:20-00:01:26 SophosUTM dhclient: DHCPREQUEST on eth1 to 192.168.200.1 port 67
2014:08:20-00:01:34 SophosUTM dhclient: DHCPREQUEST on eth1 to 192.168.200.1 port 67
2014:08:20-00:01:48 SophosUTM dhclient: DHCPREQUEST on eth1 to 192.168.200.1 port 67
2014:08:20-00:02:01 SophosUTM /usr/sbin/cron[30521]: (root) CMD ( nice -n19 /usr/local/bin/gen_inline_reporting_data.plx)
2014:08:20-00:02:07 SophosUTM dhclient: DHCPREQUEST on eth1 to 192.168.200.1 port 67
This repeats 13 times
2014:08:20-00:05:01 SophosUTM /usr/sbin/cron[30797]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2014:08:20-00:05:01 SophosUTM /usr/sbin/cron[30798]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_feedback_uploader)
2014:08:20-00:05:16 SophosUTM dhclient: DHCPREQUEST on eth1 to 192.168.200.1 port 67
This repeats 9 times
2014:08:20-00:07:01 SophosUTM /usr/sbin/cron[31001]: (httpproxy) CMD (/var/chroot-http/usr/bin/virus_sample_uploader -p /var/chroot-http)
2014:08:20-00:07:09 SophosUTM ntpd[18724]: Deleting interface #303 eth1, 72.235.13.139#123, interface stats: received=0, sent=36, dropped=0, active_time=601 secs
2014:08:20-00:07:09 SophosUTM ntpd[18724]: 64.132.226.3 interface 72.235.13.139 -> (none)
2014:08:20-00:07:09 SophosUTM ntpd[18724]: 204.2.134.162 interface 72.235.13.139 -> (none)
2014:08:20-00:07:09 SophosUTM ntpd[18724]: 155.101.3.113 interface 72.235.13.139 -> (none)
2014:08:20-00:07:09 SophosUTM ntpd[18724]: peers refreshed
2014:08:20-00:07:18 SophosUTM dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 5
2014:08:20-00:07:18 SophosUTM dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67
2014:08:20-00:07:18 SophosUTM dhclient: DHCPOFFER from 192.168.200.1
2014:08:20-00:07:18 SophosUTM dhclient: DHCPACK from 192.168.200.1
2014:08:20-00:07:18 SophosUTM dhclient: bound to 72.235.13.139 -- renewal in 256 seconds.
2014:08:20-00:07:19 SophosUTM ntpd[18724]: Listen normally on 304 eth1 72.235.13.139 UDP 123
2014:08:20-00:07:19 SophosUTM ntpd[18724]: peers refreshed
2014:08:20-00:07:19 SophosUTM ntpd[18724]: new interface(s) found: waking up resolver
2014:08:20-00:10:01 SophosUTM /usr/sbin/cron[31447]: (root) CMD ( /usr/local/bin/reporter/system-reporter.pl)
2014:08:20-00:10:01 SophosUTM /usr/sbin/cron[31448]: (root) CMD (/var/mdw/scripts/pmx-blocklist-update)
2014:08:20-00:07:09 SophosUTM ntpd[18724]: Deleting interface #303 eth1, 72.235.13.139#123, interface stats: received=0, sent=36, dropped=0, active_time=601 secs
601 seconds ~ 10 minutes. If I refresh the interface page when I see this come up in the log, I see that my WAN link goes down for a second or two and then back up.
I googled for people having similar issues and this is the closest thing I could come up with:
https://forums.att.com/t5/Device-Setup/AT-amp-T-Modem-Router-Apple-Airport-Extreme/td-p/3607835#.Uw1oVfldUoA
I don't have ATT but my ISP appears to have the same brand modem. The first suggested answer from BeeBeeSA is exactly what I'm doing on my modem so that my UTM is directly connected to the Internet. Step 8 says
8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address. At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.
I'm not sure what they mean by make sure the firewall allows DHCP renewal packets in.
There aren't any corresponding firewall events at that time.
Firewall Log:
2014:08:20-00:04:36 SophosUTM ulogd[29827]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="94:c1:50:7[:D]2:89" dstmac="0:10:18:8f:cd:b2" srcip="192.168.200.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"
2014:08:20-00:06:41 SophosUTM ulogd[29827]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="94:c1:50:7[:D]2:89" dstmac="0:10:18:8f:cd:b2" srcip="192.168.200.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"
2014:08:20-00:08:46 SophosUTM ulogd[29827]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="94:c1:50:7[:D]2:89" dstmac="0:10:18:8f:cd:b2" srcip="192.168.200.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"
2014:08:20-00:09:15 SophosUTM ulogd[29827]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x307c" app="124" srcmac="94:c1:50:7[:D]2:89" dstmac="0:10:18:8f:cd:b2" srcip="178.143.191.81" dstip="72.235.13.139" proto="17" length="70" tos="0x08" prec="0x20" ttl="50" srcport="53" dstport="40289"
2014:08:20-00:10:51 SophosUTM ulogd[29827]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="94:c1:50:7[:D]2:89" dstmac="0:10:18:8f:cd:b2" srcip="192.168.200.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"
For what it's worth, my WAN NIC is a Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet.
Thank you for any help!
This thread was automatically locked due to age.
