topic Re: Uploading a big file gets interrupted only when connected via Remote Access in Firewall and Security Management

Uploading a big file gets interrupted only when connected via Remote Access

kamilazat — Thu, 26 Sep 2024 06:42:29 GMT

Hi everyone.

I wasn't sure whether to post this on Remote Access or Threat Prevention, so I'm posting on Security Gateways.

When a remote computer tries to upload a big file (400MB+) to an internal resource without RA VPN, the upload goes perfectly fine. But only when connected via VPN the upload goes until 7-10% and then it gets interrupted.

The traffic goes through a single gateway (no cluster) with version R81.20 JHF T41, and with enabled blades fw vpn cvpn urlf av appi ips identityServer SSL_INSPECT anti_bot.

We already tried looking at logs on SmartConsole and zdebug drop, but neither of them gave us anything. Also checked if Aggressive Aging was at play, but the CPU usage never gets higher than 30%, and everything is set to default 80%.

Currently we're waiting for a maintenance window for testing while turning TP off by fw amw unload command.

Where else can I look if that doesn't help? And why wouldn't I see any logs?

Any ideas would be appreciated.

Cheers!

Re: Uploading a big file gets interrupted only when connected via Remote Access

G_W_Albrecht — Thu, 26 Sep 2024 07:58:15 GMT

I would debug the vpn tunnel during the upload if excluding this traffic from TP (AV IPS) does not help.

Re: Uploading a big file gets interrupted only when connected via Remote Access

Chris_Atkinson — Thu, 26 Sep 2024 12:23:48 GMT

While diagnosis is ongoing worth checking that 3DES / DES isn't enabled and used for Remote Access VPN for both security & performance reasons!

Re: Uploading a big file gets interrupted only when connected via Remote Access

the_rock — Thu, 26 Sep 2024 12:33:04 GMT

Hey @kamilazat

I agree with what @G_W_Albrecht indicated. Most likely best to do vpn debugs when issue is happening if turning off TP blades does not help. Though, to me, logically, not sure that will help, if all works fine with those blades enabled otherwise.

Andy

Re: Uploading a big file gets interrupted only when connected via Remote Access

kamilazat — Thu, 26 Sep 2024 13:12:39 GMT

@the_rock @Chris_Atkinson @G_W_Albrecht Thank you for the suggestions!

Update: We have narrowed the problem down to ICAP. The GW is set as ICAP client. When ICAP is turned off, then everything works fine.

Now the question is how does the it handle the differences between normal IPs and Office Mode IPs. There are no such settings in $FWDIR/conf/icap_client_blade_configuration.C file. Or do we also need to all IP ranges including the Office Mode address ranges?

And even if the answer is yes, it's still mysterious how it allows the upload until some percentage, and then drops the traffic.

Additional edit: I think this post would look better in Threat Prevention 🙂

Re: Uploading a big file gets interrupted only when connected via Remote Access

G_W_Albrecht — Thu, 26 Sep 2024 13:14:24 GMT

How is :icap_servers () - :failmode () set in $FWDIR/conf/icap_client_blade_configuration.C file?

Re: Uploading a big file gets interrupted only when connected via Remote Access

kamilazat — Thu, 26 Sep 2024 13:33:44 GMT

It is open. I'm attaching the file with redacted IPs.