Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

6.5.4.6 - Capture ATP vs. MySonicWall Downloads

BWCBWC Cybersecurity Overlord ✭✭✭
in Mid Range Firewalls

Hi,

a customer is struggling getting the latest Directory connector, Capture ATP is activated with Block until verdict.

But the Download never finishes, we've got a few log entries:

CaptureATP.png

Capture ATP Monitor just shows a good file, but with a different URL/Query-Parameter. What does these Timer-wait timer messages mean?

I know Block until verdict can be a beast, but shouldn't it work to get files from the own vendor at least without causing problems?

--Michael@BWC

Category: Mid Range Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @BWC,

    Looks like the Firewall is not receiving a confirmation or ACK from the sandbox for the file that was sent by it. Hence the connection times out leading to the download failure.

    I have seen this similar issue in the past on lower firmware versions but nothing as of on newer firmware versions. Could you please confirm below?

    • Firmware version on the SonicWall appliance.
    • Is this issue noticed with any other file downloads and when was this issue noticed first?
    • Does any of your other customers also report this issue?
    • Hope you tried tweaking the MTU for testing purpose. If not, you can try this and check.

    Keep us posted please.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited July 2020

    Hi @Saravanan

    why should I change the MTU if disabling Block until verdict makes the Download work just fine? The MTUs are perfectly fine and no fragmentation needed. I'am running 6.5.4.6 on that machine, customer did not complained about other downloads, but these are mostly HTTPS and we disabled DPI-SSL.

    The message in the event log arrived about a minute later when my Download was already finished, so no ACK from the Capture ATP Service, will try to do a Packet-Monitor to see what happens there when the file gets uploaded via UFTP.

    Other customers decided to disable Block until verdict all the way, because it caused to much trouble, I would like to have it otherwise, but customer is king.

    UPDATE: UFTP upload uses itself an MTU of just 1024 bytes (as per definition on /diag.html). I only saw outgoing packets to the Capture ATP upload server, but no response packets from 79.141.36.140, this seems to causing the missing acknowledgement.

    --Michael@BWC

  • SaravananSaravanan Moderator

    Hi @BWC,

    Thanks for your comment.

    MTU change was suggested especially with BUV enabled, for a fragmentation cause issue between Firewall and Sandbox. In some of my old cases, this has helped. As a part of troubleshooting steps, this was suggested. Hope this clarifies.

    I guess there is a slight risk involved when disabling BUV in the SonicWall appliance. I feel it would be better to contact our support team to get this issue reported and checked.

    Have a good one!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.