This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG425 going crazy?

Hi folks,

since a couple days my astaro makes heavy load to my provider, usually more than 1000 connections so that the providers firewall blocks certain times.
I got them to send me over a logfile to check where the connections come from, and this is how it looks like:

1246287241.799     40 my.local.ip. TCP_MISS/200 458 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287241.867     44 my.local.ip. TCP_MISS/200 538 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287241.925     41 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287242.017     49 my.local.ip. TCP_MISS/200 314 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287242.118     45 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287242.183     43 my.local.ip. TCP_MISS/200 266 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287242.686     42 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287242.705     45 my.local.ip. TCP_MISS/200 314 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.427     38 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.534     39 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.672     41 my.local.ip. TCP_MISS/200 362 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.678     41 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.716     39 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.778     40 my.local.ip. TCP_MISS/200 314 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287243.812     43 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.014     43 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.040     42 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.042     39 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.046     41 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.182     46 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.214     40 my.local.ip. TCP_MISS/200 362 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.238     46 my.local.ip. TCP_MISS/200 346 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.247     42 my.local.ip. TCP_MISS/200 378 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)
1246287244.273     43 my.local.ip. TCP_MISS/200 330 POST http://cffs05.astaro.com/acf2 - DEFAULT_PARENT/firewall.of.provider - (ICAP: FILTERED)

...so can anybody tell me where these connections come from? [:S]

This thread was automatically locked due to age.

0 BrucekConvergent over 16 years ago

Those look like the category requests that your Astaro's content filtering sends to Astaro's Content filter DBs... your ISP should not be blocking those requests.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 Weissnix_01 over 16 years ago in reply to BrucekConvergent

T... your ISP should not be blocking those requests...

Thanks for the answer, but i can´t tell them what they have to do or not... [:@]

But...for some reason i do have a second connection to the Internet, so is there a chance to tell those DB Requests to use the other line instead? Do i have to set up a DNAT-Rule or something equal?
Cancel
Vote Up 0 Vote Down

Cancel
0 Weissnix_01 over 16 years ago

Ok, i got some information:
For every request to a URL a second request to cffs**.astaro.com will be made to check the filter. So this doubles the connections. Bad thing if if you do NAT in combination with a parent proxy because it looks like thousends of packets come from one host...looks like a DOS-Attack.

Now i got the following information from my provider:
It will work to split the traffic. I have to redirect the *normal* HTTP-Requests to one Parent Proxy and the other (cffs**.astaro.com) to another Parent.

Now my question - where can i setup a rule to tell my ASG to use a different proxy for these requests?

I tried a Full NAT-Rule, but that doesnt work...
Cancel
Vote Up 0 Vote Down

Cancel