Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kamilazat
Collaborator

Uploading a big file gets interrupted only when connected via Remote Access

Hi everyone.

I wasn't sure whether to post this on Remote Access or Threat Prevention, so I'm posting on Security Gateways.

When a remote computer tries to upload a big file (400MB+) to an internal resource without RA VPN, the upload goes perfectly fine. But only when connected via VPN the upload goes until 7-10% and then it gets interrupted.

The traffic goes through a single gateway (no cluster) with version R81.20 JHF T41, and with enabled blades fw vpn cvpn urlf av appi ips identityServer SSL_INSPECT anti_bot.

We already tried looking at logs on SmartConsole and zdebug drop, but neither of them gave us anything. Also checked if Aggressive Aging was at play, but the CPU usage never gets higher than 30%, and everything is set to default 80%.

Currently we're waiting for a maintenance window for testing while turning TP off by fw amw unload command.

Where else can I look if that doesn't help? And why wouldn't I see any logs?

Any ideas would be appreciated.

Cheers!

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend

I would debug the vpn tunnel during the upload if excluding this traffic from TP (AV IPS) does not help.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

While diagnosis is ongoing worth checking that 3DES / DES isn't enabled and used for Remote Access VPN for both security & performance reasons!

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Hey @kamilazat 

I agree with what @G_W_Albrecht indicated. Most likely best to do vpn debugs when issue is happening if turning off TP blades does not help. Though, to me, logically, not sure that will help, if all works fine with those blades enabled otherwise.

Andy

0 Kudos
kamilazat
Collaborator

@the_rock @Chris_Atkinson @G_W_Albrecht Thank you for the suggestions!

Update: We have narrowed the problem down to ICAP. The GW is set as ICAP client. When ICAP is turned off, then everything works fine.

Now the question is how does the it handle the differences between normal IPs and Office Mode IPs. There are no such settings in $FWDIR/conf/icap_client_blade_configuration.C file. Or do we also need to all IP ranges including the Office Mode address ranges?

And even if the answer is yes, it's still mysterious how it allows the upload until some percentage, and then drops the traffic.

Additional edit: I think this post would look better in Threat Prevention 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

How is :icap_servers () - :failmode () set in $FWDIR/conf/icap_client_blade_configuration.C file?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
kamilazat
Collaborator

It is open. I'm attaching the file with redacted IPs.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events