ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ATP 3.1 scanner does not appear to relay all RADIUS requests from LAN to WAN

book

Article ID: 172982

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Packet captures appear to show that Advanced Threat Protection (ATP) Platform fails to relay all RADIUS requests received on LAN interface to WAN interface. Adding the IP address of the RADIUS server as a IP based whitelist entry in ATP UI does not appear to permit the RADIUS authentication to occur in the guest wifi network.

Cause

When one or more packets received by the LAN interface of ATP exceed MTU of 1500 and have a VLAN tag, ATP de-fragments to build and inspect a packet. To re-transmit to the WAN interface, ATP re-fragments, but fails to re-add VLAN header.

Environment

  • ATP network scanner is INLINE and scanning is enabled.
  • A RADIUS authentication server is on the network connected to the LAN port of the ATP network scanner
  • A RADIUS authentication client is on the network connected to the WAN port of the ATP network scanner
  • VLAN tagging is used
  • The packets from the RADIUS server are marked with a VLAN ID

Resolution

Symantec is committed to repairing this in a future build.

 

To work around this issue, please do one of the following:

  • Disable scanning at ATP scanner via Settings> Appliances > (scanner property sheet)
  • Create a technical support case for assistance with applying a hotfix to each ATP scanner where this issue occurs.
     

Attachments

Readme.txt get_app