Unifi IPS/IDS Issue affecting connectivity -USG Disconnects

As you may know, Ubiquiti has included a new IPS/IDS intrusion detection system (in beta) in recent updates of the controller software for Unifi equipment. I can connect remotely to Indigo just once with that system turned on but then Indigo ultimately loses the connection. So I guess it’s working! IPS (intrusion prevention) won’t allow me to connect remotely through the reflector at all. “IDS” (just detection) allows me to get through some of the time.

However, the security gateway itself flips out and disconnects from the Unifi controller. At least its starting to appear Indigo’s reflector may be involved. Just a strong hunch at this point based on casual testing. I’ve attempted to inform Ubiquiti.

Here is some info on their Intrusion Prevention System. It may be possible at some point to identify “safe” intrusions like Indigo. (And also Security Spy for that matter - connections to that show up as a trojan attack alert in the logs) Indigo does not show up as an alert. Which could ultimately be a bad thing if the same techniques are used maliciously.

UniFi - USG: Configuring Intrusion Prevention/Detection System (IPS/IDS) – Ubiquiti Networks Support and Help Center
https://help.ubnt.com/hc/en-us/articles ... m-IPS-IDS-

one thing to keep in mind: you lose a lot of throughput as the hardware accelerator is switched off in this mode.
USG4 still delivers 250Mbit, but the USG3 is down to 80 in that mode

Interestingly I turned in IDS yesterday, wanted to test before going to IPS.

I've just turned WiFi off on my phone and connected and disconnected multiple times, admittedly from same external IP address on my phone using Indigo reflector and all ok. Do you get blocked doing this?

I use VPN to get into security spy so don't envisage any issues there.




Sent from my iPhone using Tapatalk

Well, I am able to get in initially with IDS, no VPN. At some point it stops working for me though and I get a reflector is down message in the phone app. Not near the controller but I’m certain I’m running the latest version and all device firmware is up to date. Possibly you’re on older Unifi software? Maybe the VPN masks the IDS detection? Although I mentioned that no alerts appear in the controller when connecting to Indigo. Unlike Security Spy which throws up a trojan alert. Tested IPS a few weeks ago with a previous version of the controller software (on a cloudkey) and I wasn’t able to connect remotely. Turning it on/off imediately impacted connectivity to Indigo.

The most concerning thing for me is I’ve had two USGs disconnect around the same time as I’m testing or simply using Indigo from my phone. Eventually I lose internet. One has been bricked! It’s been baffling and expensive to trouble shoot this! So no IDS/IPS for me until I hear otherwise. As soon as I turned it off and rebooted the USG reconnected to the controller and everything has been normal since. This is mostly Ubiquiti’s issue as the feature is in beta. Will be posting there as well so hopefully someday the two can coexist.

Yep, I’m aware of the performance hit with the USG 3P but I have no where near 85MB through my internet provider. Although, I wonder if that affects basic lan traffic as well. Given the current state of internet security, IPS and similar intrusion detection analysis services are likely to play an important role on even home network devices.

Posting this in the event others may be having app connection issues with Unifi.

To confirm, I don't use VPN to connect remotely to indigo but still not getting IDS issues.
I am running 4.4.29.5124210 on the USG and 5.9.29 on the controller.
Maybe it's the specific settings? I believe I have the default settings turned on, not all switches are on.



Sent from my iPhone using Tapatalk

Whoops yeah I now see you VPN for SecSpy. Default settings for mw as well, just turning on IDS seems to be the starting point.

I have no idea, its just been a long difficult ride including a complete site rebuild, 2 controllers and 2 USGs to get things back to normal. IDS seems to be the culprit, and although it coincides with connecting to Indigo – and seemed to manifest on the USGs when I first started using IDS, I honestly can’t say for 100% sure. Turning it off makes it better, that’s something I 100% do know.

Not sure if it's better or worse that it's not definitely indigo related and replicable.
I had lots of issues recently with non stop errors on my WiFi APs and getting 200+ error emails a day from my controller. All stopped now though.
What I can say from that is that UniFi staff were on the forum and offering help, beta firmware builds and even remote connection to systems to check and identify errors. Worth raising to them directly.


Sent from my iPhone using Tapatalk