Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] HTTP connection delayed due to EWF TSC connection timeout

0

0

Article ID: KB32947 KB Last Updated: 09 Aug 2018Version: 1.0
Summary:

If the UTM server is not reachable as shown below, the HTTP connection may be delayed and result in slow HTTP traffic.

root@SRX-240-3# run show security utm web-filtering status
UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server DOWN
Cause:

In the following traffic log, the traffic is finally permitted due to 'BY_FALLBACK_TIMEOUT':

Jul  3 07:03:38  SRX-240-3 RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 1.1.1.2(38099)->151.101.72.222(443) CATEGORY="Enhanced_Web_Analytics" REASON=""BY_FALLBACK_TIMEOUT" PROFILE="ewf-http" URL=xxx.xxxx.xxx.com OBJ=/ username N/A roles N/A

If the TSC does not respond in time to the categorization request from the device, the original client request is blocked or permitted according to the timeout fallback setting (default action is log and permit).  If the traffic is permitted due to 'FALLBACK_TIMEOUT', the traffic will not be passed until the timeout is reached, which will be slow.

Solution:

Workaround:

  1. Disable EWF
    Deactivate security utmfeature-profile web-filtering type

  2. Decrease EWF Timeout value
    set security utm feature-profile web-filtering juniper-enhanced profile ewf-http timeout 1
 

Solution:

Collect RSI/VAR Log and do packet capture, utm traceoption, web-filtering traceoption, etc. to find out why the EWF TSC server is down and make it up.

Traceoption:

Pakect capture:

Useful commands:

  • Show host rp.cloud.threatseeker.com
  • Traceroute rp.cloud.threatseeker.com
  • Show security flow session destination-prefix <TSC-IP-address>
  • Configflow traceoptionwith both IP address as filters
  • PCAP packet destined to rp.cloud.threatseeker.com

Please contact JTAC for further troubleshooting.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search