Possible issues with Application update version 396

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Possible issues with Application update version 396

L4 Transporter

We are seeing issues with Google ssl traffic being identified as Ultrasurf.  Problem went away when we backed out the update (which included updates to the ultrasurf application definition).  Ticket is into Support.  May want to avoid updating to 396 for now.

Phil

1 accepted solution

Accepted Solutions

L4 Transporter

Apps and Threat update 397 released - No issues seen relating to Ultrasurf.

Phil

View solution in original post

17 REPLIES 17

L1 Bithead

We are experiencing the same issue on our network as well.  Rolling back to 395 resolved the issue for us.  Please update this thread when you hear back from support.

Jared

Same here.

One odd detail I noticed is that we update threats automatically at 02:00, and Google was being classified normally until 07:36 (ET), after which it started showing up as 'ultrasurf' in the log.

L6 Presenter

Were there pcaps attached to the ticket? What's the case number?     

Case # is 163564. No Pcaps attached to the case, but should be reproducible in a lab

Unable to reproduce thus far but bug has been filed to have Engineering to take a look. If at all possible, please reproduce on your end and attach client end pcaps to the case. We can utilize it on tcpreplay server.

admin@Phoenix-VM-Lab148> show session all filter source 192.168.148.11

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

30984   ssl            ACTIVE  FLOW  NS   192.168.148.11[55085]/L3-Trust/6  (10.30.6.148[36135])

vsys1                                     74.125.239.136[443]/L3-Untrust  (74.125.239.136[443])

31004   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42398]/L3-Untrust  (4.2.2.2[42398])

30999   ssl            ACTIVE  FLOW  NS   192.168.148.11[55087]/L3-Trust/6  (10.30.6.148[21642])

vsys1                                     74.125.239.111[443]/L3-Untrust  (74.125.239.111[443])

31003   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42397]/L3-Untrust  (4.2.2.2[42397])

30995   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42394]/L3-Untrust  (4.2.2.2[42394])

31000   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42395]/L3-Untrust  (4.2.2.2[42395])

31001   ssl            ACTIVE  FLOW  NS   192.168.148.11[55088]/L3-Trust/6  (10.30.6.148[28109])

vsys1                                     74.125.239.111[443]/L3-Untrust  (74.125.239.111[443])

31002   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42396]/L3-Untrust  (4.2.2.2[42396])

30998   ssl            ACTIVE  FLOW  NS   192.168.148.11[55089]/L3-Trust/6  (10.30.6.148[26079])

vsys1                                     74.125.129.104[443]/L3-Untrust  (74.125.129.104[443])

30996   ping           ACTIVE  FLOW  NS   192.168.148.11[16]/L3-Trust/1  (10.30.6.148[16])

vsys1                                     4.2.2.2[42393]/L3-Untrust  (4.2.2.2[42393])

30986   ssl            ACTIVE  FLOW  NS   192.168.148.11[55086]/L3-Trust/6  (10.30.6.148[54225])

vsys1                                     74.125.239.106[443]/L3-Untrust  (74.125.239.106[443])

Below is a link to a pcap I created of traffic going to 140.197.248.94 that was being blocked for ultrasurf.  140.197.248.94 is a google cache server located on our network.  I hope this helps.

<Links Removed>

We had severe issues with ALL google apps as a result of this change. Google traffic was being blocked as ultrasurf app traffic. PAN please post something when this has been resolved.

L3 Networker

Please revert to version 395.  This issue has been verified and is being addressed.

-chadd.

L4 Transporter

version 396 appears to be withdrawn  from the download site.

Phil

L4 Transporter

Apps and Threat update 397 released - No issues seen relating to Ultrasurf.

Phil

I installed update 397, re-added ultrasurf, and it's still blocking google traffic for us. I will back-rev to 395 until resolved...

Cloughr,

We have generated about 40M log entries since we installed 397 with no ultrasurf traffic seen.  What type of google traffic are you seeing as ultrasurf.  For us it was just doing web searches via https.

Phil

L0 Member

We are on 397 and still experiencing the issue with Google being inappropriately identified as Ultrasurf.

Is there a plan to resolve this?

I'm currently forced to be putting in huge blocks of "ignore" ultrasurf in our policy set.

  • 1 accepted solution
  • 7109 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!