Forum Discussion

Kallestofeles_3's avatar
Kallestofeles_3
Icon for Nimbostratus rankNimbostratus
Aug 30, 2017

ICAP server reachable, however ASM claims communication issues

Greetings,

 

I have encountered a situation where I have implemented basic AV protection to a server. Tests with EICAR file work fine from internal and external networks (should not really matter).

 

The thing is that on some occasions I noticed that the file upload had been blocked but the Virus violation states: "Virus detection was not performed due to communication problem. See details here: /ts/log/bd.log" There is no relevant info in that log file.

 

Guaranteed enforcement was turned on, so I guess that's why the block took place. But the real question is - why is it complaining about not being able to communicate with the ICAP server? When I run a test from any network, it blocks it just right and the violation is described accurately.

 

Whenever this has happened there have been multiple generic violations detected with the traffic as well, but ONLY AV protection is in Blocking mode - generic signatures are just alerting for analysis.

 

Does anyone have more experience with such cases? Any ideas why this is happening?

 

Thank you!

 

  • I think you need to raise a support case. They will check your config, also ICAP is known to have some issues on some versions of BIG-IP and some AV Vendors

     

  • Siphe's avatar
    Siphe
    Icon for Nimbostratus rankNimbostratus

    Hi,

     

    Was this resolved i am getting the same error message, and this generates false positives.

    when i do a packet captures i see bidirectional communication with the ICAP server, and the ICAP server responds with code 204 unmodified

  • dupapa's avatar
    dupapa
    Icon for Nimbostratus rankNimbostratus

    I've recently encountered the same issue with our BigIP v16.1.3.3. Can anyone shed the light of how this issue can be solved?