Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Not something you'd want to see

LarryLarry Cybersecurity Overlord ✭✭✭

TZ600 syslog entry:

Gateway Anti-Virus Status: Server error. This firewall is sending packets too fast for it to reassemble.

Any idea of what this really means and what the implications are?

Category: Entry Level Firewalls
Reply

Comments

  • Hi @Larry,

    Does this Event message appear for Capture ATP events?

    If true, usually, this message appears when the buffer used to store the entire number of packets of the file gets full before Capture ATP can reassemble the file at the "Data Center Location" for inspection.

    These are the 3 actions you can take to fix this issue:

    1 - Ensure that you are using the closest Data Center for the location the FW is installed.

    2 - Ensure that you are using the latest firmware on the FW.

    3 - Follow this KB article to increase the buffer size on the FW side:

    https://www.sonicwall.com/support/knowledge-base/troubleshooting-capture-atp/171004093436667/


    If the issue persists, the next step would be to select an alternate Data Center Location.

    If you continue experiencing the message after all the mentioned steps, please open a support ticket mentioning all the steps taken and attaching the logs and we will be glad to troubleshoot further.


    Regards

    Raul Cuevas

    Technical Support Advisor, Premier Services

  • LarryLarry Cybersecurity Overlord ✭✭✭

    @raul_cuevas

    I would like to go through these one by one.

    Starting with "Ensure that you are using the closest Data Center for the location the FW is installed." How - exactly - would I do that long after the license has been established? And if it not the closest, how would I change it?

    The device is using the latest firmware, SonicOS Enhanced 6.5.4.7-83n

    The settings mentioned in the KB article are set.

    I cannot refresh the cache items until the weekend - and I'll have to schedule this with the business owner - because of all the work from home users log in to their desktops at all hours of the day and night.


    But the "server error" came after several PDF files were received as email attachments. It was the next to last one that had the reported message. I no longer have the active log (this TZ 600 only manages to retain about 30 minutes of activity), so I can't say what the others were... However, looking at Capture ATP in the device it only reports on 2 files at that time. Now I'm wondering about any others.

Sign In or Register to comment.