[Oisf-users] Trouble with Suricata and SSL VPN

Leonard Jacobs ljacobs at netsecuris.com
Fri May 3 04:09:08 UTC 2013 

Would it be the Flow timeout  for established that could be causing the  problem.  We think the keep alive is set to 900 seconds and the flow timeout is 3600 seconds.  Why would we not want to lower the flow timeout to match the Keep Alive set at 900?

-----Original Message-----
From: oisf-users-bounces at openinfosecfoundation.org [mailto:oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Wednesday, May 01, 2013 3:01 AM
To: oisf-users at openinfosecfoundation.org
Subject: Re: [Oisf-users] Trouble with Suricata and SSL VPN

On 04/30/2013 02:05 PM, Leonard Jacobs wrote:
> Yes.  It appears that the problem only occurs with SonicWALL Adventail SSL VPN. It is reported that connecting to it is slow and it disconnects as if a timeout occurs.  We have increased the number af-packet threads to 6 from 4 that was set yesterday and we changed the cpu cores setting in suricata.yaml from the default of 1.5 to 2. We are running an i7 processor which has 4 cores and 8 threads.

Does the disconnect interval relate to any of the flow-timeout values in your yaml? If so you can try increasing those, or forcing a keep-alive mechanism in the vpn to stay within the timeout values.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Flow-Time-Outs

Cheers,
Victor

> -----Original Message-----
> From: Peter Manev [mailto:petermanev at gmail.com]
> Sent: Tuesday, April 30, 2013 2:08 AM
> To: Leonard Jacobs
> Cc: oisf-users
> Subject: Re: [Oisf-users] Trouble with Suricata and SSL VPN
> 
> On Mon, Apr 29, 2013 at 6:02 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>> We are having a network latency problem using af-packet IPS mode when 
>> accessing SSL VPN to the point that SSL VPN disconnects.  What could 
>> be causing this problem?
>>
>> We are using 4 threads with af-packet.  We are seeing the connection 
>> in http.log file.
>>
>> Leonard
>>
>>
> Hi Leonard,
> 
> Do you experience that (in this set up)  only with SSL VPN ?
> 
> thanks
> 
> --
> Regards,
> Peter Manev
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list