search cancel

WSS agent 8.1.2 fails to connect with UDP after upgrading from WSS Agent 6.1.1

book

Article ID: 253370

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS Agent user upgrade to the WSS agent 8.1.2 (from WSS Agent 6.1.1) and cannot connect to WSS with UDP transport.

WSS Agent diagnostic logs report UDP connection failed due to timeout errors.

Local firewall allows UDP 443 so it is not being blocked there.

Environment

WSS Agent 8.1.2.

Windows 10.

McAfee endpoint protection enabled.

Cause

McAfee endpoint protection blocking UDP 443.

Not sure how upgrade to 8.1.2 could have caused this (independent of setup).

Resolution

Whitelist WSS Agent UDP 443 traffic on McAfee.

Additional Information

From logs, we could track that UDP request was likely blocked

[10-17-2022 14:47:32 (UTC+1:00)]: WSS Agent has closed the connection. A new connection attempt will be made.
[10-17-2022 14:47:32 (UTC+1:00)]: CTC Response: ACTIVE(POSTCHK)  egress:77.103.165.51  GGBDO-170.176.242.164  GGBDO-109.68.61.164 
[10-17-2022 14:47:33 (UTC+1:00)]: Attempting to connect to GGBDO via UDP
[10-17-2022 14:47:38 (UTC+1:00)]: UDP Connection failed (ec:26 - A timeout has occurred), will attempt TCP on the same DP
[10-17-2022 14:47:39 (UTC+1:00)]: Attempting to connect to GGBDO via TCP

The corresponding PCAP confirmed we see UDP 443 probe and 6 secs later we get the TCP attempt due to lack of feedback ...

Looking at other security products on the host, we identified McAfee as a potential candidate and walked through the logs their to find the culprit at the exact time:

Attachments