Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
10-02-2013 05:32 AM
We are seeing issues with Google ssl traffic being identified as Ultrasurf. Problem went away when we backed out the update (which included updates to the ultrasurf application definition). Ticket is into Support. May want to avoid updating to 396 for now.
Phil
10-03-2013 04:42 AM
Apps and Threat update 397 released - No issues seen relating to Ultrasurf.
Phil
10-02-2013 08:06 AM
We are experiencing the same issue on our network as well. Rolling back to 395 resolved the issue for us. Please update this thread when you hear back from support.
Jared
10-02-2013 08:14 AM
Same here.
One odd detail I noticed is that we update threats automatically at 02:00, and Google was being classified normally until 07:36 (ET), after which it started showing up as 'ultrasurf' in the log.
10-02-2013 08:32 AM
Were there pcaps attached to the ticket? What's the case number?
10-02-2013 08:37 AM
Case # is 163564. No Pcaps attached to the case, but should be reproducible in a lab
10-02-2013 08:49 AM
Unable to reproduce thus far but bug has been filed to have Engineering to take a look. If at all possible, please reproduce on your end and attach client end pcaps to the case. We can utilize it on tcpreplay server.
admin@Phoenix-VM-Lab148> show session all filter source 192.168.148.11
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
30984 ssl ACTIVE FLOW NS 192.168.148.11[55085]/L3-Trust/6 (10.30.6.148[36135])
vsys1 74.125.239.136[443]/L3-Untrust (74.125.239.136[443])
31004 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42398]/L3-Untrust (4.2.2.2[42398])
30999 ssl ACTIVE FLOW NS 192.168.148.11[55087]/L3-Trust/6 (10.30.6.148[21642])
vsys1 74.125.239.111[443]/L3-Untrust (74.125.239.111[443])
31003 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42397]/L3-Untrust (4.2.2.2[42397])
30995 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42394]/L3-Untrust (4.2.2.2[42394])
31000 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42395]/L3-Untrust (4.2.2.2[42395])
31001 ssl ACTIVE FLOW NS 192.168.148.11[55088]/L3-Trust/6 (10.30.6.148[28109])
vsys1 74.125.239.111[443]/L3-Untrust (74.125.239.111[443])
31002 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42396]/L3-Untrust (4.2.2.2[42396])
30998 ssl ACTIVE FLOW NS 192.168.148.11[55089]/L3-Trust/6 (10.30.6.148[26079])
vsys1 74.125.129.104[443]/L3-Untrust (74.125.129.104[443])
30996 ping ACTIVE FLOW NS 192.168.148.11[16]/L3-Trust/1 (10.30.6.148[16])
vsys1 4.2.2.2[42393]/L3-Untrust (4.2.2.2[42393])
30986 ssl ACTIVE FLOW NS 192.168.148.11[55086]/L3-Trust/6 (10.30.6.148[54225])
vsys1 74.125.239.106[443]/L3-Untrust (74.125.239.106[443])
10-02-2013 09:34 AM
Below is a link to a pcap I created of traffic going to 140.197.248.94 that was being blocked for ultrasurf. 140.197.248.94 is a google cache server located on our network. I hope this helps.
<Links Removed>
10-02-2013 09:45 AM
We had severe issues with ALL google apps as a result of this change. Google traffic was being blocked as ultrasurf app traffic. PAN please post something when this has been resolved.
10-02-2013 10:17 AM
Please revert to version 395. This issue has been verified and is being addressed.
-chadd.
10-02-2013 12:14 PM
version 396 appears to be withdrawn from the download site.
Phil
10-03-2013 04:42 AM
Apps and Threat update 397 released - No issues seen relating to Ultrasurf.
Phil
10-03-2013 08:22 AM
I installed update 397, re-added ultrasurf, and it's still blocking google traffic for us. I will back-rev to 395 until resolved...
10-04-2013 05:25 PM
Cloughr,
We have generated about 40M log entries since we installed 397 with no ultrasurf traffic seen. What type of google traffic are you seeing as ultrasurf. For us it was just doing web searches via https.
Phil
10-07-2013 10:35 AM
We are on 397 and still experiencing the issue with Google being inappropriately identified as Ultrasurf.
10-08-2013 06:55 AM
Is there a plan to resolve this?
I'm currently forced to be putting in huge blocks of "ignore" ultrasurf in our policy set.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
