Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 11998 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Uploads Kill Internet Connectivity

Euphrates_01
Currently on 9.315-2 using software appliance.  It's a Core2Quad 8400 with 8GB of RAM.  Device is configured in bridge mode between main network switch and Cisco router. 

So here is the weirdness.  It would appear that IPS is causing some sort of bandwidth issue with Internet.  Essentially, if upload bandwidth goes beyond a certain point, Internet connectivity grinds to nothing.  I have a continuous ping going to 4.2.2.1 and running a speed test to speedof.me.  When I do so, once the upload speed starts or before its finished, Internet connectivity goes down and the continuous ping starts giving me "request timed out".  After a while, the pings come back but the speed test will either fail or give me a lowball measure.

Keep in mind that event browsing to a webpage, in which you have to upload your browsers request to the webpage in question, kills the Internet as well.

Now, with IPS disabled, everything works fine and the speed test runs successfully.  The pings continue, though, while the test is running, the response time is higher, in the ~180ms range instead of the ~30 second range.  I already disabled Web Protection in my testing to see if that was causing this and it only stopped once IPS is disabled.  

The live log doesn't show anything.  Mainly because I have a bypass for this website in the IPS (though, I assume, the bypass doesn't mean the traffic isn't still going through the IPS module, just that, it isn't looking at the traffic).  Issue started after upgrade to 9.315-2. 

Any ideas?


This thread was automatically locked due to age.
  • 0
    Search here for comments by William on IPS/Snort and CPU speed.

    There's not enough detail about the upload to be able to suggest a QoS rule.

    Cheers - Bob
  • 0 in reply to BAlfson
    Search here for comments by William on IPS/Snort and CPU speed.

    There's not enough detail about the upload to be able to suggest a QoS rule.

    Cheers - Bob


    Clarification.  I was also torrenting, however, it was running at about 400KB/sec down and 125KB/sec up (capped via uTorrent). 

    To replicate, you can use the website speedof.me while running a ping to 4.2.2.1.  While the upload portion of the test is running, try going to a website like google (low bandwidth and graphics) and the speedtest just dies.  The torrents also die completely.  It takes about ~10-20 seconds for the torrents to begin throttling back up and the speed test to either resume or, before resuming, it times out.  Web browsing is also affected until it passes.  I have a Comcast connection and, generally get 6Mbps upload speeds.  Again, although torrenting, I have the upload capped at 125KB/sec and, when this occurs, it brings that down as well.  Also, concurrent connections did not go beyond 2185 during this time.

    FYI, torrents and speedof.me are configured in IPS section, all checkboxes ticked.
  • 0
    Check the Intrusion Prevention log for Anti-DoS/Flooding activity.  If there's nothing there, do look for William's discussions on how having too many CPUs can cause a problem with Snort.

    Cheers - Bob
  • 0
    I'm experiencing the exact same problem. Quad core celeron appliance, 8GB. And an FTP at full upload bandwidth (which is only about 1.4mb in my case) kills my PPPoE (MLPPP) connection. Has anyone made any headway with this?
  • 0 in reply to JohnRiley
    If you fill the upload bandwidth with a connection, a new, outbound request will timeout unless a QoS rule gives it a chance. Still, do consider my comments on 11Aug 2015.

    Cheers - Bob
  • 0 in reply to BAlfson

    Perhaps I should have clarified "Kills Internet connectivity", and I have further information. I'm using PPPoE (MLPPP actually). And when UL is saturated, Sophos's OWN LCP send and ack times out. In other words it doesn't even provide itself enough bandwidth to keep the DSL alive. So when it doesn't receive an LCP ack back (after 5 attemps) it DROPs the internet MLPPP connection. My only cure so far?  Create a QOS rule that Sophos (all traffic) can only use UL BW minus 10kps.  

    This is obviously a bug, and/or poor design.