Too many connections

Report bugs and workarounds
Post Reply
sbergami
Posts: 28
Joined: 21 Dec 2016 17:08

Too many connections

Post by sbergami » 11 Aug 2017 09:37

Hello,
We bought a new firewall and I noticed from the logs that it seems that EFA (10.0.0.4) sends thousands of requests every second around the world (as can be seen from the attachment below)
efa_firewall.jpg
efa_firewall.jpg (186.88 KiB) Viewed 3424 times
Does anyone know the reason for all these requests? Are correct or there is something to change in the firewall or EFA configuration?
Thank you
kind regards

TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Too many connections

Post by TheGr8Wonder » 11 Aug 2017 13:37

What ports are being blocked? There are components such as DCC that use a distributed server network to perform checks against spam. It could also be the DNS lookup for blacklist checks. All depends on the ports.

sbergami
Posts: 28
Joined: 21 Dec 2016 17:08

Re: Too many connections

Post by sbergami » 11 Aug 2017 16:55

thank you for your reply,
from lan to wan no ports are blocked, so I think is an answer that is blocked, but I don't know on wich port...

I will try to set a monitor on this public ip addresses

User avatar
pdwalker
Posts: 1179
Joined: 18 Mar 2015 09:16

Re: Too many connections

Post by pdwalker » 15 Aug 2017 08:22

Yeah, until you know what is actually being blocked, it's kind of hard to determine what you should be looking for.

How many emails per day does your system get anyway? Do you have someone with a computer on the network that is sending junk?

Not enough information to diagnose your problem at the moment.

sbergami
Posts: 28
Joined: 21 Dec 2016 17:08

Re: Too many connections

Post by sbergami » 11 Sep 2017 12:42

thank you for you reply and sorry for my (long) delay.
All our pc have a commercial antivirus, so I don't think this is a spam problem, futhermore EFA antispam should relay every outgoing email to a remote smtp server. so I do not even have an idea of what all those ips are contacted around the world.

TheGr8Wonder
Posts: 97
Joined: 01 Jul 2017 02:32

Re: Too many connections

Post by TheGr8Wonder » 13 Sep 2017 20:14

Did you install EFA via an appliance or a custom build? What are the firewall rules from WAN -> EFA ?

User avatar
pdwalker
Posts: 1179
Joined: 18 Mar 2015 09:16

Re: Too many connections

Post by pdwalker » 15 Sep 2017 08:38

Your problem is a hard one to debug without having access to your efa server.

If you efa server is making a lot of network requests, then you'll need to log into your efa server and find out what is making all the network requests.

Programs like ps, netstat, lsof, atop, htop, nethogs, ntop, iftop, top, etc. can help you find out what is running on your machine and what is making the network connections. Some of these programs are not in the base install, so you'll have to install them yourself.

Also, can you find out exactly what your firewall is blocking: e.g. "connection to X port Y is blocked". That will also give a big clue.

How much mail is your system sending/receiving per day?

Another thought, those blocked ip requests - they look like ips that belong to infrastructure type servers. Does your EFA box have the caching name server installed? Maybe it's making too many outward dns requests?

Look in your system log files for any interesting errors. In particular, pay attention you /var/log/messages and /var/log/maillog. You may find a clue in there.

ovizii
Posts: 459
Joined: 11 May 2016 08:08

Re: Too many connections

Post by ovizii » 18 Sep 2017 09:16

Looking at this thread, I don't think anything is being blocked. Seems just like a warning about too many outgoing connections. I'm sure the firewall also has some sort of reporting so you can check what kind of connections it is talking about.

As people have mentioned, it might simple DNS queries.

User avatar
pdwalker
Posts: 1179
Joined: 18 Mar 2015 09:16

Re: Too many connections

Post by pdwalker » 18 Sep 2017 09:47

no, the log files do say "ACCESS BLO..." which I assume means "access blocked"

if it is blocking the dns queries, then the spam scoring is going to be a little lower without the DNSRBL information.

sbergami
Posts: 28
Joined: 21 Dec 2016 17:08

Re: Too many connections

Post by sbergami » 20 Sep 2017 09:02

Hello,
thanks to everyone for the answers. I probably found the solution.
Our firewall by default constantly monitors the connections number that each host enable and if this number reaches a threshold limit these connections are blocked. I've seen in the status monitor (not in logs pages) that all blocked requests are DNS_UDP. I've customized the maximum number of EFA server connections as 0 (unlimited) on the firewall session limit configuration page and of course the alert does not appear anymore.
I checked the number of active sessions and traffic generated by the server and is equal to traffic generated even before replacing the firewall.

Post Reply