It certainly is majority UDP traffic, and having read through the thread you linked it would make a lot of sense. It would also go some way to explaining why I wouldn't necessarily see the issue on an unused pair of 3100s.

Unfortunately the messages files don't go back to the last time we saw the issue so can't see any of those messages at present. I will have to think about the best way to test this on Monday. I will provide an update as soon as I have one!

Since the syslog has rolled off on your gateway I assume you aren't using some kind of third-party log aggregation like Splunk for long-term syslog storage.  You may want to redirect firewall syslog messages into the main traffic logs stored on the SMS to avoid this situation in the future:

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

Also might be interesting to revisit the last time period you had the problem (if it was less than 30 days ago) by firing up cpview in history mode with -t (timestamp).  There is a SecureXL menu on the Advanced screen; not sure if it would have anything that is related to your problem showing there but it might be worth a look during the problematic period.  

Would also be interesting to go through all the other cpview screens just before the problem started, then advance into the time period where the problem was known to be occurring and see if any dramatic differences jump out at you.

Yes we do actually ship the syslog off elsewhere, however it seems it hasn't been working since we upgraded. I still need to look into that. Having looked through older syslog though I cannot see any message containing simi_reorder from any of our gateways where we've had this issue...

Although we don't have an exact timestamp, we have a 1.5 hr window on Monday 8th July during which the issue occured. Having scrolled through cpview for this time  the figures are as follows from before and after the window, I don't know if those numbers are significant?

A couple of hours after this time the "Reorder" value jumped up to 1,025, then to 2,050 a few hours after that, then 3,075 and so on. Is this related to the reordering you mentioned?

The values today are as follows:

I replied to this already but can't see it anywhere... So here it is again.

I've now fixed the syslog issue we've had since the upgrade so the messages are once again being shipped off and stored. cpview shows the following from just before the issue window, just after, and currently:

The "Reorder" value there was zero throughout the window but in the hours following it began incrementing by 1,025 every few hours... Is this related to the reordering in the article you linked?

Your post was in the moderation queue--it got approved.
We do moderate posts for newer members as a default.
This shouldn't happen for you going forward.

The "Reorder" counter getting incremented might be significant, tough to say.  I think you'll have to wait until the next problem period then check syslog...

Yes, you'd have thought so. But I wonder if there's a difference between using zoom on the desktops and zoom on the video conferencing units we use? I.e. desktop stuff is predominantly via HTTPS/443 but VCs use UDP? In fact our firewall logs would certainly suggest that to the be the case having just checked

I have the same issue after upgrade from R80.20 to R80.30. But in my case All VPN based on UDP. Trying to solve:

• IPS Exception - Not solve;
• Update to Take 111 not solve;
• Disable SecureXL - SOLVED

Any "fix" for it?

Kind regards,

Same here. Did you find any solution without disabling SecureXL?? BR!

Please open a TAC case @iso667 @Jung_Patrick.

As noted previously, you should open a TAC case here so we can troubleshoot.
If you have SRs around this issue, please PM them to me.