Endpoint protection causing timeouts on ping and tracerote commands
search cancel

Endpoint protection causing timeouts on ping and tracerote commands

book

Article ID: 270460

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Upgrading the Symantec Endpoint Protection (SEP) agent from 14.3.5413.3000 to 14.3.9210.6000 noticed timeouts on the ping and traceroute commands.

When we increase the timeout value to 15 seconds, we could see that ping and traceroute are possible however, it takes way too long.

After running a clean wipe and removing SEP, ping and traceroute are back to normal, and installing 14.3 RU6 again issue re-appears.

If the Reverse DNS option is disabled (under "Protection and Stealth" in the firewall policy), the issue is not observed.

With SEP 14.3 RU6 installed:

C:\Users\XYZ>ping x.x.x.x -w 15000
Pinging x.x.x.x with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=9376ms TTL=122
Reply from x.x.x.x: bytes=32 time=12178ms TTL=122
Reply from x.x.x.x: bytes=32 time=12283ms TTL=122
Reply from x.x.x.x: bytes=32 time=12058ms TTL=122

After uninstalling SEP:

Pinging x.x.x.x with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=74ms TTL=122
Reply from x.x.x.x: bytes=32 time=28ms TTL=122
Reply from x.x.x.x: bytes=32 time=29ms TTL=122
Reply from x.x.x.x: bytes=32 time=28ms TTL=122

Cause

The DNS packets received in response from the remote DNS server are terminated at the query section and do not have any additional bytes. Consequently, the SEP FW incorrectly considers these DNS response packets as invalid.

Resolution

Please contact support for Workaround/Fix information.
This issue is fixed in 14.3 RU9

Additional Information