SSL VPN
Reply
Contributor
rswinter
Posts: 102
Registered: ‎02-09-2010
0

Host Checker Lag?

Hi All, 

 

I've had a few users complain that they are being denied access due to host checker right after their Virus is updated and was wondering if this is a common problem.

 

Now, I could be wrong, but It appears that they are getting a pattern file update before the Juniper does, so it denies them since it doesn't think they are running the proper file.  In all instances the remote user was able to log in from 10-20 minutes later with no problem.

 

I have the SA set to check for updates every 30 minutes and to allow a pattern file 10 revisions behind.   Do I need to cut that time down to 5 or 10 minutes?

 

Thanks.

 

-Stephen

Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Host Checker Lag?

Stephen,

 

We need to ensure that this is indeed the host checker issue.

 

1) What is the error message the user see on the browser, when the host check fails?

2) Check the host check client side logs (debuglog.log) file and check if host check is failing?

3) You could also start a policy trace on the SA GUI and ask the user to login. Policy trace should tell you if the host check failed.

4) If it is indeed the host check, then we need to check for the configuration on the SA and the AV application installed on the
   computer.

5) If the requirements on the SA is not met by the AV, then it is bound to fail.

 

 

In anycase - it would be better if you could attach a snippet of the policy trace and the host check client side logs.

 

Meanwhile, I strongly suggest you to open a ticket with the JTAC to get a faster help in this area as they would be able to better able to help you on a secure meeting.

 

Hope the above helps.

Moderator Moderator
Moderator
ruc
Posts: 226
Registered: ‎11-06-2007
0

Re: Host Checker Lag?

I doubt that is the case as HC should allow any client with newer definitions than its own (it only blocks clients with older def versions).

 

Do you have a cluster? And does the issue start immediately after a virus definition download by one of the SA nodes and goes away after the subsequent virus definition  download?

 

Contributor
rswinter
Posts: 102
Registered: ‎02-09-2010
0

Re: Host Checker Lag?

AJA/ruc, 

 

Thanks for the replies.  I'll try and get some more information the next time we get a call.   Our HelpDesk usually goes through the process of removing andf re-installing all the Juniper exe's, so we don't usually hear about it until after the fact.

 

As long as the SA allows all "newer" dat files that what it knows about, that makes that a non-issue.

 

Thanks.

 

-S

Contributor
Lord_Edam
Posts: 26
Registered: ‎11-09-2009
0

Re: Host Checker Lag?


ruc wrote:

I doubt that is the case as HC should allow any client with newer definitions than its own (it only blocks clients with older def versions).

 


 

I've had experience of this myself when I was only doing 4 hour updates of the juniper AV signature list.

If yor numbers are AHEAD of the ones your appliance last downloaded you get the "unsupported product" error message. If your numbers are BEHIND the list, you get the "out of date" error message.

 

Also, some AV products can take a while to apply updates so during the update phase HostChecker may give random errors (eg "real time protection is not enabled). You won't always be able to tell when an AV is updating itself.

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: Host Checker Lag?


ruc wrote:

I doubt that is the case as HC should allow any client with newer definitions than its own (it only blocks clients with older def versions).

 

Do you have a cluster? And does the issue start immediately after a virus definition download by one of the SA nodes and goes away after the subsequent virus definition  download?

 


The initial report was for when the client has newer versions of the definition files; it is resolved at the next definition update on the IVE. We have received reports of this in JTAC but have not been able to replicate ourselves for investigation to confirm which behavior is correct.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.