IPS randomly stopping working without an alert?

**Sam Graf** · 02-20-2020, 05:15 PM

Well, this has been a bit of a disappointment.

I'll guess I'll commit the Untangle mortal sin and try a reboot. If IPS is still borked, I'll make use of paid support.

**Sam Graf** · 02-23-2020, 08:38 PM

I've been working with IPS on my home machine so I can be as clear and accurate as possible when I start a ticket against the business machine.

One of the puzzling aspects of trying to decide when IPS is working and when it isn't is a discrepancy in the logged events reporting.

Over time the app metrics are no where near the same as the total reported events.

Screenshot_2020-02-23 Graf Home Network - gateway.png

Screenshot_2020-02-23 Graf Home Network - gateway(1).png

And if the metrics don't literally mean logged events but all events, the numbers still don't align.

Screenshot_2020-02-23 Graf Home Network - gateway(2).png

**Sam Graf** · 02-24-2020, 07:00 AM

So from when I last posted until now, the metrics make it seem as if IPS has been active.

Screenshot_2020-02-24 Graf Home Network - gateway.png

Very nearly double the reported sessions logged. Yet the Intrusion Prevention / All Events report for today is blank.

Screenshot_2020-02-24 Graf Home Network - gateway(1).png

Now to confirm that the business server is still exhibiting similar behavior and if so, start a support ticket.

**ntguru** · 02-24-2020, 08:29 AM

Please post back what you hear. Unfortunately, testing/validating the status of IPS isn't the easiest thing.

On a potentially related note, yesterday my U25 stopped passing traffic and wouldn't respond even to pings. I checked it out and the appliance was off. My household was all watching 4K Netflix streaming when it happened (not that I have any evidence that this caused it). I'm going to post separately.

**Sam Graf** · 02-24-2020, 01:13 PM

Absolutely, will do.

**ntguru** · 03-10-2020, 04:59 AM

So an update: something is definitely weird with the IPS module. I have made zero configuration changes recently to UTGW but it has suddenly gone from scanning after network rules to scanning before.

It happened on 03/05/2020. At 10:32AM E, it detected and blocked a known bad IP and the log lists the INTERNAL/NAT-forwarded IP and the single destination port I have open inbound. This is normal, and there are usually a handful per day. At 11:32A E, it detected and blocked a known bad IP and the log lists one of several static EXTERNAL IPs and a port other than one open. And from there, piles and piles of that type, which is not surprising given the huge range of possibilities. I verified IPS is still set to after other network processing.

**Sam Graf** · 03-10-2020, 05:45 AM

A quick update from me, then. I have a ticket on a server and support has been super but the server has, so far, refused to act up (I did a clean install of the app so I had a memory usage baseline). Support is leaving the ticket in a hold status and I'm checking the server daily. Until it acts up in an unambiguous way, we wait.

**ntguru** · 03-10-2020, 05:53 AM

A bit more update: disabling and enabling the IPS app did not fix the behavior. Rebooting the appliance did.

**ntguru** · 03-10-2020, 06:41 AM

Originally Posted by Sam Graf

A quick update from me, then. I have a ticket on a server and support has been super but the server has, so far, refused to act up (I did a clean install of the app so I had a memory usage baseline). Support is leaving the ticket in a hold status and I'm checking the server daily. Until it acts up in an unambiguous way, we wait.

Thanks.

**sky-knight** · 03-10-2020, 09:15 AM

A little relevant entertainment... for the waiting.

Thread: IPS randomly stopping working without an alert?

LinkBack

Thread Tools

Posting Permissions