1 2 Previous Next 10 Replies Latest reply on May 13, 2011 2:38 PM by foobar

    NSP M-3050

      Hi All,

       

      I am new to this forum and my first post here.

       

      Currently I have a support incident with McAfee open and as they are taking their time looking through logs I figured I'd post here to see if anyone out there has heard of this issue.

       

       

      We currently have a IDS/IPS M-3050 sensor inline between our internet connection, data center, and the rest of our networked PCs.

       

      When the sensor is up and running, we cannot do large file transfers (over 300MB) either internally to a file server in our data center, or externally (tested a Microsoft ISO download). This is obvioulsy causing us some big headaches (computer imaging for one).

       

      Looking at the real time threat analyzer, it doesn't seem to be blocking or picking up on anything abnormal - but if I shut down the M3050 and let our fail open kits take over, our file transfers and images go across our WAN links as expected.

       

       

      Any thoughts out there?

       

      Thanks!

      Curtis

        • 1. Re: NSP M-3050

          I'm not a product expert, but you might have better luck if you moved this to one of our product areas. I'm unfamiliar with specific model numbers but it sounds like you may be posting about IntruShield?

           

          Network Security Platform (IntruShield and NAC)

          • 2. Re: NSP M-3050

            I re-read your post and the subject line which indicates Network Security Platform (NSP), so I moved this to the correct area. Hopefully a community expert can help you soon.

            • 3. Re: NSP M-3050

              Thanks April, I appreciate the direction.

               

              on 5/10/11 2:36:13 PM CDT
              • 4. Re: NSP M-3050
                gooru4speed

                Hi cwebbrsd, under IPS Settings=> Policies => HTTP Response Scanning, check if you have enabled this functionality. In affirmative situation disable it and try to download the ISO file from Microsoft again. Let us know how it is going on.

                 

                Regards,

                • 5. Re: NSP M-3050

                  Thanks for your response, gooru4speed - however, we do not have HTTP response scanning enabled on any of our port pairs.

                  • 6. Re: NSP M-3050

                    Here is an update for those that are reading and are interested:

                     

                    Working with Tier 3 support, so far they have had me issue this command via the console:

                     

                    layer2 mode assert

                     

                    Which to my understanding disables the IPS from really doing any scanning. Now our file transfers work as expected, but of course our IPS is no longer doing its' job.

                     

                    Ill post back when I hear more, and any suggestions from the community are still very welcome.

                     

                    Thanks,

                    Curtis

                    • 7. Re: NSP M-3050
                      gooru4speed

                      As you said layer 2 bypass disables IPS from scanning. I don't think that solution as a workaround it is just a temporary "patch" until they find the problem.

                       

                      Good luck.

                      • 8. Re: NSP M-3050

                        Correct, this is a band-aid - but at least unil they find a good solution my file transfers are not dead in the water. I'll continue to update as tech support gives me information.

                        • 9. Re: NSP M-3050
                          SGROSSEN

                          Does the transfer complete fail when Inline IPS, or just have latency?

                          I'd check the following and bubble this up to the support case rep

                           

                          1.) Anyinterface errors on the on the sensor port handling the transfer (CRC's)?

                          2.) On the sensor CLI, issue "clrstast" to clear counters, do the transfer (inline IPS) and then check "show inlinepktdropstats" on sensor.  This should show you where the dropped packets are coming from

                          3.) You can also enter debug mode on sensor CLI and test the transfer with Layer 3 and Layer 7 inspection disabled to see the difference.

                          at the sensor CLI ener "debug" then enter "set l3 <off|on>" and "set l7 <off|on>" and track the results

                          4.)  If you are not on the latest version of the sensor sw code, you may check that.

                           

                          If you have a SR number, you can send me an direct message, and I can take a peek at the case.... Cheers

                           

                          --Steve

                          1 2 Previous Next