shadowdh

he he! obviiously its the way I explain it. What I mean is that when the liveupdate has updated and you are in the 25 second et seq, then run liveupdate again , there should be no updates, and how long before LU says completed? In my case with no firewall its under 2 secs

Now that all my PCs are updated 10 16.5.135, I agree with cgoldman that the problem is in the router firewall.  The only way I can get updates is to disable SPI on my router firewall.  When I do that, all updates are quickly and successfully updated.

What follows is the alert I get when the firewall SPI is suspended.  SYN flood to host. coming from 96.17.110.160, 80 and the port in each PC with a DHCP varies, in this particular case it is 3873. 

I am sure there is a way to allow this traffic port address without suspending SPI, but I do not know how to to this.  This solution is consistent across 6 PC/laptops on the same network.

I'd appreciate any feedback on this info, as it seems to be the most precise identified so far.

Thanks to all who pointed me to the router.  BTW, this IP address is an akamai server.

Thanks a lot, disabling "SPI and Anti-DoS firewall protection" in my router fixes the problem. There are also some configuration options for the Stateful Packet Inspection, which you can turn on or off:   "Packet Fragmentation"  "TCP Connection"   "UDP Session"   "FTP Service"  "H.323 Service"  "TFTP  Service".

What is really wierd is that the definition updates seem to happen OK with SPI enabled.  I reach this conclusion by seeing the last definition update time change while the SPI is enabled.  The problem seems to come up pretty much consistently when I try to run live update manually.  This happens when the PC is off overnight and when it is first turned on, the little red problem indicater shows it needs to be fixed.  Then I run live update and it produces the error which is the title of this thread I started.

BTW, in 16.2 when I ran LU manually, I would get the message that there were no updates and my data was current, but the time of  definition updates did not change.  That pointed me to the fact that although the error in question did not occur in 16.2, NIS did not recognize the result of manual LU.  Therefore I upgraded to 16.5.135--that could not occur without the SPI being disabled.

Are there any firewall experts out there who can shed some light on this problem with the intrusion error I reported above?

Thanks.

yes pulse update are working with SPI/anti-dos, only liveupdate seems to be blocked.

OK>  Here is something to try that seems to solve the problem.  I've done research on it and it seems to have produced good results.

Go to your firewall parameters and find something called : Maximum incomplete TCP/UDP sessions number to same host:  By default this is set to 10 on most routers.  Raise it to 30 and see if you can successfully initiate manual LU with no errors.  If you can, then throttle it back to 20 and check again.  You can find the right value in this range by trial and error. Works for me.

Please, let's get some feedback on this possible solution in this thread.  Hopefully, we're closing in on this.

thorsten42

Welcome, and thanks for your confirmation. Could you please post the make and model of your router, and any version number.

It means that in your case "SPI and Anti-DoS firewall protection is causing the problem". However, each router may be different. DoS (denial of service) is a whole bunch of things and whilst your router may not specify the elements within anti-DoS others may. Alas in my hardware, I have only the option to enable or disable firewall, for example. I.e. no configuration whatsoever.

stephenb

I think I understand your point. Lets see. In Norton 360 v3, the problem is identical accept that no error is reported. So can you imagine the users out there being told by Norton that there is nothing wrong because all the defs etc are uptodate whereas the log.lue tells a different story. When the disabled the firewall they will magically start seeing downloads that were not presented seconds earlier.

I am driven to believe that the prolem may have occured in 16.2 and in fact in Norton 360 v2. Alas I dont have the time or inclination to go backwards and test. However, I did report issues like this last year but could not rally assistance in this forum or my direct contact, so I gave up.

Alas each day is a struggle to get this noticed where it should be. As you know I am suspecting a link with the proxy server problem i.e. http 1.1 vx 1.0. We may get to know in due course. Yes a firewall expert would help. Meanwhile I have contated by Manufacturer of the hardware for assistance but it may be difficult for me to get to the guys who know.