Page 1 of 1
Any known problems with AVG firewall?
Posted: Thu Jun 01, 2006 11:45 am
by Tim
I can share and access SW devices with AVG firewall OK
But I cannot use SP to access any remote devices.
I always get 'Semaphore timeout expired'.
Everything works fine with ZoneAlarm.
Re: Any known problems with AVG firewall?
Posted: Thu Jun 01, 2006 2:38 pm
by anton (staff)
Check do you have iSCSI ports in non-blocked list.
Tim wrote:I can share and access SW devices with AVG firewall OK
But I cannot use SP to access any remote devices.
I always get 'Semaphore timeout expired'.
Everything works fine with ZoneAlarm.
Posted: Thu Jun 01, 2006 4:50 pm
by Tim
I have tried all sorts of configurations to try and get this working.
Service ports, program access rights and all that stuff.
The only thing that works is de-activating the firewall completely!
Looks like some kinda incompatability problem (or stupid user).
I am using a 30-day trial of the AVG 7.1 Network edition (with firewall).
AVG first level help are not sure what iSCSI is so I have been passed on to the next level of support. I await their reply.
[edit] the log shows lots of packets blocked for port 1900. Is that SW/SP stuff or something unrelated?[/edit]
Posted: Thu Jun 01, 2006 10:05 pm
by Val (staff)
Tim wrote: the log shows lots of packets blocked for port 1900. Is that SW/SP stuff or something unrelated?
Tim,
iSCSI uses TCP/IP port 3260 for listening to data connections.
So your server machine must allow the port for incoming connections (for StarWindService.exe), while the initiator must allow outgoing connectins to port 3260 from the System process.
Posted: Thu Jun 15, 2006 11:42 am
by Tim
I got it fixed.
I had to create an "outbound" service rule to remote port 3260.
Appears the the AVG firewall has some 'usability' problems or it could be user ID-10-T error.
Posted: Thu Jun 15, 2006 11:58 am
by anton (staff)
Excellent! Thanks a lot for sharing with us and our customers.
Software (and hardware) compatibility issues are the most painful ones...
Thanks again!
Tim wrote:I got it fixed.
I had to create an "outbound" service rule to remote port 3260.
Appears the the AVG firewall has some 'usability' problems or it could be user ID-10-T error.
Posted: Thu Jun 15, 2006 12:17 pm
by Tim
Excellent! Thanks a lot for sharing with us and our customers.
No problem. Got to do something to earn my complementary licenses
Just some background about this that may be helpfull.
I have been looking to get rid of Zonealarm for a while now.
The reason being the high CPU usage under high network thoughput.
Inbound iSCSI traffic was making ZA spike to 40% CPU. That's approx. 1% for every 1MB/s throughput (40% at 40MB/s incoming).
I did not like that much, dunno why it was doing that.
Tried different ways of setting the firewall rules without any success.
The AVG firewall service (avgfwsrv.exe) does not appear to clock any CPU under to same conditions.
So now ZA is gone and AVG FW is in.
Posted: Thu Jun 15, 2006 9:21 pm
by anton (staff)
Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
Tim wrote:Excellent! Thanks a lot for sharing with us and our customers.
No problem. Got to do something to earn my complementary licenses
Just some background about this that may be helpfull.
I have been looking to get rid of Zonealarm for a while now.
The reason being the high CPU usage under high network thoughput.
Inbound iSCSI traffic was making ZA spike to 40% CPU. That's approx. 1% for every 1MB/s throughput (40% at 40MB/s incoming).
I did not like that much, dunno why it was doing that.
Tried different ways of setting the firewall rules without any success.
The AVG firewall service (avgfwsrv.exe) does not appear to clock any CPU under to same conditions.
So now ZA is gone and AVG FW is in.
Posted: Thu Jun 15, 2006 9:40 pm
by Tim
Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
My network is behind a router. iSCSI only goes over local LAN through gigabit switch.
I use software firewall as an extra security precaution (with anti-virus of course) because my family use some of the machines.
I like to control what tries to go outbound.
Posted: Thu Jun 15, 2006 9:45 pm
by anton (staff)
I'd suggest virtual environment in such a case. Something you cannot ruin (or can ruid and quicky restore). Like VMware with roll-backs.
Tim wrote:Actually I'm not still sure these all technologies mix well. I would prefer to keep away iSCSI traffic from DMZ and use it only in private LAN segment with EXTERNAL firewall.
My network is behind a router. iSCSI only goes over local LAN through gigabit switch.
I use software firewall as an extra security precaution (with anti-virus of course) because my family use some of the machines.
I like to control what tries to go outbound.