search cancel

ATP 3.1 scanner does not appear to relay all RADIUS requests from LAN to WAN


Article ID: 172982


Updated On:


Endpoint Detection and Response Advanced Threat Protection Platform


Packet captures appear to show that Advanced Threat Protection (ATP) Platform fails to relay all RADIUS requests received on LAN interface to WAN interface. Adding the IP address of the RADIUS server as a IP based whitelist entry in ATP UI does not appear to permit the RADIUS authentication to occur in the guest wifi network.


When one or more packets received by the LAN interface of ATP exceed MTU of 1500 and have a VLAN tag, ATP de-fragments to build and inspect a packet. To re-transmit to the WAN interface, ATP re-fragments, but fails to re-add VLAN header.


  • ATP network scanner is INLINE and scanning is enabled.
  • A RADIUS authentication server is on the network connected to the LAN port of the ATP network scanner
  • A RADIUS authentication client is on the network connected to the WAN port of the ATP network scanner
  • VLAN tagging is used
  • The packets from the RADIUS server are marked with a VLAN ID


Symantec is committed to repairing this in a future build.


To work around this issue, please do one of the following:

  • Disable scanning at ATP scanner via Settings> Appliances > (scanner property sheet)
  • Create a technical support case for assistance with applying a hotfix to each ATP scanner where this issue occurs.


Readme.txt get_app