For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

svs's avatar
svs
Icon for Cirrostratus rankCirrostratus
May 25, 2015

Cannot access www.eicar.org through SWG

Hi Folks,

 

currently I'm evaluating SWG with TMOS 11.6.0 HF4. I got it up and running, but I've encountered several issues. In this post I will only focus on one of the issues.

 

When I'm trying to access http://www.eicar.org I get a "Connect failed" back from the proxy. It's just a white page, without a logo or any other kind of a SWG error page. There is no entry in the event logs, although I'm logging every request (allowed and blocked). I've created a tcpdump. There are several thousand packets captured, during one connection try. When I take a look into the dump file there is no SYN packet seen. The dump starts with an ACK packet from the webserver to the BIG-IP. Very weird. In the /var/log/apm there is an error logged: May 25 21:25:41 big-ip crit tmm3[11889]: 01790601:2: [S] 188.40.238.250:80 -> x.x.x.x:x: Response buffer timeout, apply action from urldb response

 

Unfortunately I wasn't able to figger out what this means, but the issue does only come up, when a Response Analytics Element is added to the VPE for the Per-Request Policy. Google didn't help me. This message seems to be fully unknown. Any hints on what is going wrong here?

 

Thanks in advance.

 

Greets, svs

 

BIG-IP Access Policy Manager (APM)
deployment
security

3 Replies

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    May 25, 2015

    Did you deploy using the iApp? It's really hard to say what is happening without knowing how you configured it.

     

  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    May 25, 2015

    Did you deploy using the iApp? It's really hard to say what is happening without knowing how you configured it.

     

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus
    May 26, 2015

    Hi Michael,

     

    thanks for your response.

     

    I've configured it manually and deployed an iApp for testing purposes - of course not in combination. Both instances are running dedicated.

     

    I think I was able to find out the reason for the message. I didn't change the default "Max Buffer Size" of the Response Analytics element. Per default it is set to 1 MB (1048576 Bytes). After setting this Size to 25 MB (26214400 Bytes) it was working, although it took about 15 seconds approximately before the site is shown. I wasn't able to find a reason for this strange behavior, especially with this site, due to time issues.

     

    Greets, svs