I am new to this forum and my first post here.
Currently I have a support incident with McAfee open and as they are taking their time looking through logs I figured I'd post here to see if anyone out there has heard of this issue.
We currently have a IDS/IPS M-3050 sensor inline between our internet connection, data center, and the rest of our networked PCs.
When the sensor is up and running, we cannot do large file transfers (over 300MB) either internally to a file server in our data center, or externally (tested a Microsoft ISO download). This is obvioulsy causing us some big headaches (computer imaging for one).
Looking at the real time threat analyzer, it doesn't seem to be blocking or picking up on anything abnormal - but if I shut down the M3050 and let our fail open kits take over, our file transfers and images go across our WAN links as expected.
Any thoughts out there?
I re-read your post and the subject line which indicates Network Security Platform (NSP), so I moved this to the correct area. Hopefully a community expert can help you soon.
Hi cwebbrsd, under IPS Settings=> Policies => HTTP Response Scanning, check if you have enabled this functionality. In affirmative situation disable it and try to download the ISO file from Microsoft again. Let us know how it is going on.
Here is an update for those that are reading and are interested:
Working with Tier 3 support, so far they have had me issue this command via the console:
layer2 mode assert
Which to my understanding disables the IPS from really doing any scanning. Now our file transfers work as expected, but of course our IPS is no longer doing its' job.
Ill post back when I hear more, and any suggestions from the community are still very welcome.
As you said layer 2 bypass disables IPS from scanning. I don't think that solution as a workaround it is just a temporary "patch" until they find the problem.
Correct, this is a band-aid - but at least unil they find a good solution my file transfers are not dead in the water. I'll continue to update as tech support gives me information.
Does the transfer complete fail when Inline IPS, or just have latency?
I'd check the following and bubble this up to the support case rep
1.) Anyinterface errors on the on the sensor port handling the transfer (CRC's)?
2.) On the sensor CLI, issue "clrstast" to clear counters, do the transfer (inline IPS) and then check "show inlinepktdropstats" on sensor. This should show you where the dropped packets are coming from
3.) You can also enter debug mode on sensor CLI and test the transfer with Layer 3 and Layer 7 inspection disabled to see the difference.
at the sensor CLI ener "debug" then enter "set l3 <off|on>" and "set l7 <off|on>" and track the results
4.) If you are not on the latest version of the sensor sw code, you may check that.
If you have a SR number, you can send me an direct message, and I can take a peek at the case.... Cheers