Any known problems with AVG firewall?

Software-based VM-centric and flash-friendly VM storage + free version

Moderators: anton (staff), art (staff), Max (staff), Anatoly (staff)

Post Reply
Tim
Posts: 93
Joined: Mon Jul 18, 2005 7:27 pm

Thu Jun 01, 2006 11:45 am

I can share and access SW devices with AVG firewall OK

But I cannot use SP to access any remote devices.
I always get 'Semaphore timeout expired'.

Everything works fine with ZoneAlarm.
User avatar
anton (staff)
Site Admin
Posts: 4008
Joined: Fri Jun 18, 2004 12:03 am
Location: British Virgin Islands
Contact:

Thu Jun 01, 2006 2:38 pm

Check do you have iSCSI ports in non-blocked list.
Tim wrote:I can share and access SW devices with AVG firewall OK

But I cannot use SP to access any remote devices.
I always get 'Semaphore timeout expired'.

Everything works fine with ZoneAlarm.
Regards,
Anton Kolomyeytsev

Chief Technology Officer & Chief Architect, StarWind Software

Image
Tim
Posts: 93
Joined: Mon Jul 18, 2005 7:27 pm

Thu Jun 01, 2006 4:50 pm

I have tried all sorts of configurations to try and get this working.
Service ports, program access rights and all that stuff.

The only thing that works is de-activating the firewall completely!
Looks like some kinda incompatability problem (or stupid user).

I am using a 30-day trial of the AVG 7.1 Network edition (with firewall).

AVG first level help are not sure what iSCSI is so I have been passed on to the next level of support. I await their reply.

[edit] the log shows lots of packets blocked for port 1900. Is that SW/SP stuff or something unrelated?[/edit]
Val (staff)
Posts: 496
Joined: Tue Jun 29, 2004 8:38 pm

Thu Jun 01, 2006 10:05 pm

Tim wrote: the log shows lots of packets blocked for port 1900. Is that SW/SP stuff or something unrelated?
Tim,
iSCSI uses TCP/IP port 3260 for listening to data connections.
So your server machine must allow the port for incoming connections (for StarWindService.exe), while the initiator must allow outgoing connectins to port 3260 from the System process.
Best regards,
Valeriy
Tim
Posts: 93
Joined: Mon Jul 18, 2005 7:27 pm

Thu Jun 15, 2006 11:42 am

I got it fixed.

I had to create an "outbound" service rule to remote port 3260.

Appears the the AVG firewall has some 'usability' problems or it could be user ID-10-T error.
User avatar
anton (staff)
Site Admin
Posts: 4008
Joined: Fri Jun 18, 2004 12:03 am
Location: British Virgin Islands
Contact:

Thu Jun 15, 2006 11:58 am

Excellent! Thanks a lot for sharing with us and our customers.

Software (and hardware) compatibility issues are the most painful ones...

Thanks again!
Tim wrote:I got it fixed.

I had to create an "outbound" service rule to remote port 3260.

Appears the the AVG firewall has some 'usability' problems or it could be user ID-10-T error.
Regards,
Anton Kolomyeytsev

Chief Technology Officer & Chief Architect, StarWind Software

Image
Tim
Posts: 93
Joined: Mon Jul 18, 2005 7:27 pm

Thu Jun 15, 2006 12:17 pm

Excellent! Thanks a lot for sharing with us and our customers.
No problem. Got to do something to earn my complementary licenses :shock:

Just some background about this that may be helpfull.

I have been looking to get rid of Zonealarm for a while now.
The reason being the high CPU usage under high network thoughput.

Inbound iSCSI traffic was making ZA spike to 40% CPU. That's approx. 1% for every 1MB/s throughput (40% at 40MB/s incoming).
I did not like that much, dunno why it was doing that.
Tried different ways of setting the firewall rules without any success.

The AVG firewall service (avgfwsrv.exe) does not appear to clock any CPU under to same conditions.
So now ZA is gone and AVG FW is in.
User avatar
anton (staff)
Site Admin
Posts: 4008
Joined: Fri Jun 18, 2004 12:03 am
Location: British Virgin Islands
Contact:

Thu Jun 15, 2006 9:21 pm

Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
Tim wrote:
Excellent! Thanks a lot for sharing with us and our customers.
No problem. Got to do something to earn my complementary licenses :shock:

Just some background about this that may be helpfull.

I have been looking to get rid of Zonealarm for a while now.
The reason being the high CPU usage under high network thoughput.

Inbound iSCSI traffic was making ZA spike to 40% CPU. That's approx. 1% for every 1MB/s throughput (40% at 40MB/s incoming).
I did not like that much, dunno why it was doing that.
Tried different ways of setting the firewall rules without any success.

The AVG firewall service (avgfwsrv.exe) does not appear to clock any CPU under to same conditions.
So now ZA is gone and AVG FW is in.
Regards,
Anton Kolomyeytsev

Chief Technology Officer & Chief Architect, StarWind Software

Image
Tim
Posts: 93
Joined: Mon Jul 18, 2005 7:27 pm

Thu Jun 15, 2006 9:40 pm

Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
My network is behind a router. iSCSI only goes over local LAN through gigabit switch.

I use software firewall as an extra security precaution (with anti-virus of course) because my family use some of the machines.

I like to control what tries to go outbound.
User avatar
anton (staff)
Site Admin
Posts: 4008
Joined: Fri Jun 18, 2004 12:03 am
Location: British Virgin Islands
Contact:

Thu Jun 15, 2006 9:45 pm

I'd suggest virtual environment in such a case. Something you cannot ruin (or can ruid and quicky restore). Like VMware with roll-backs.
Tim wrote:
Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
My network is behind a router. iSCSI only goes over local LAN through gigabit switch.

I use software firewall as an extra security precaution (with anti-virus of course) because my family use some of the machines.

I like to control what tries to go outbound.
Regards,
Anton Kolomyeytsev

Chief Technology Officer & Chief Architect, StarWind Software

Image
Post Reply