Cannot access www.eicar.org through SWG

Question

Hi Folks,&nbsp;
currently I'm evaluating SWG with TMOS 11.6.0 HF4. I got it up and running, but I've encountered several issues. In this post I will only focus on one of the issues.&nbsp;
When I'm trying to access http://www.eicar.org I get a "Connect failed" back from the proxy. It's just a white page, without a logo or any other kind of a SWG error page. There is no entry in the event logs, although I'm logging every request (allowed and blocked). 
I've created a tcpdump. There are several thousand packets captured, during one connection try. When I take a look into the dump file there is no SYN packet seen. The dump starts with an ACK packet from the webserver to the BIG-IP. Very weird.
In the /var/log/apm there is an error logged:
May 25 21:25:41 big-ip crit tmm3[11889]: 01790601:2: [S] 188.40.238.250:80 -&gt; x.x.x.x:x: Response buffer timeout, apply action from urldb response&nbsp;
Unfortunately I wasn't able to figger out what this means, but the issue does only come up, when a Response Analytics Element is added to the VPE for the Per-Request Policy. Google didn't help me. This message seems to be fully unknown. Any hints on what is going wrong here?&nbsp;
Thanks in advance.&nbsp;
Greets,
svs&nbsp;

michael_koyfma1 · Answer

Did you deploy using the iApp?  It's really hard to say what is happening without knowing how you configured it.&nbsp;

michael_koyfma1 · Answer

Did you deploy using the iApp?  It's really hard to say what is happening without knowing how you configured it.&nbsp;

svs · Answer

Hi Michael,&nbsp;
thanks for your response.&nbsp;
I've configured it manually and deployed an iApp for testing purposes - of course not in combination. Both instances are running dedicated.&nbsp;
I think I was able to find out the reason for the message. I didn't change the default "Max Buffer Size" of the Response Analytics element. Per default it is set to 1 MB (1048576 Bytes). After setting this Size to 25 MB (26214400 Bytes) it was working, although it took about 15 seconds approximately before the site is shown. I wasn't able to find a reason for this strange behavior, especially with this site, due to time issues.&nbsp;
Greets,
svs&nbsp;

Forum Discussion

Cannot access www.eicar.org through SWG

3 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

F5 BIG-IP SSL Orchestrator and ReversingLabs Integration Guide

Implementing SSL Orchestrator - Validation & Troubleshooting

F5 SSL Orchestrator and FireEye NX Integrated Solution

F5 SSL Orchestrator and Cisco Firepower Threat Defense (FTD) Integrated Solution

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS