IPS randomly stopping working without an alert?

**Sam Graf** · 02-20-2020, 05:15 PM

Well, this has been a bit of a disappointment.

I'll guess I'll commit the Untangle mortal sin and try a reboot. If IPS is still borked, I'll make use of paid support.

**Sam Graf** · 02-23-2020, 08:38 PM

I've been working with IPS on my home machine so I can be as clear and accurate as possible when I start a ticket against the business machine.

One of the puzzling aspects of trying to decide when IPS is working and when it isn't is a discrepancy in the logged events reporting.

Over time the app metrics are no where near the same as the total reported events.

Attachment 9884

Attachment 9885

And if the metrics don't literally mean logged events but all events, the numbers still don't align.

Attachment 9886

**Sam Graf** · 02-24-2020, 07:00 AM

So from when I last posted until now, the metrics make it seem as if IPS has been active.

Attachment 9888

Very nearly double the reported sessions logged. Yet the Intrusion Prevention / All Events report for today is blank.

Attachment 9889

Now to confirm that the business server is still exhibiting similar behavior and if so, start a support ticket.

**ntguru** · 02-24-2020, 08:29 AM

Please post back what you hear. Unfortunately, testing/validating the status of IPS isn't the easiest thing.

On a potentially related note, yesterday my U25 stopped passing traffic and wouldn't respond even to pings. I checked it out and the appliance was off. My household was all watching 4K Netflix streaming when it happened (not that I have any evidence that this caused it). I'm going to post separately.

**Sam Graf** · 02-24-2020, 01:13 PM

Absolutely, will do.

**ntguru** · 03-10-2020, 04:59 AM

So an update: something is definitely weird with the IPS module. I have made zero configuration changes recently to UTGW but it has suddenly gone from scanning after network rules to scanning before.

It happened on 03/05/2020. At 10:32AM E, it detected and blocked a known bad IP and the log lists the INTERNAL/NAT-forwarded IP and the single destination port I have open inbound. This is normal, and there are usually a handful per day. At 11:32A E, it detected and blocked a known bad IP and the log lists one of several static EXTERNAL IPs and a port other than one open. And from there, piles and piles of that type, which is not surprising given the huge range of possibilities. I verified IPS is still set to after other network processing.

**Sam Graf** · 03-10-2020, 05:45 AM

A quick update from me, then. I have a ticket on a server and support has been super but the server has, so far, refused to act up (I did a clean install of the app so I had a memory usage baseline). Support is leaving the ticket in a hold status and I'm checking the server daily. Until it acts up in an unambiguous way, we wait.

**ntguru** · 03-10-2020, 05:53 AM

A bit more update: disabling and enabling the IPS app did not fix the behavior. Rebooting the appliance did.

**ntguru** · 03-10-2020, 06:41 AM

Originally Posted by Sam Graf

A quick update from me, then. I have a ticket on a server and support has been super but the server has, so far, refused to act up (I did a clean install of the app so I had a memory usage baseline). Support is leaving the ticket in a hold status and I'm checking the server daily. Until it acts up in an unambiguous way, we wait.

Thanks.

**sky-knight** · 03-10-2020, 09:15 AM

A little relevant entertainment... for the waiting.

Thread: IPS randomly stopping working without an alert?

LinkBack

Thread Tools

Posting Permissions