Endpoint Protection

I was having a problem a few months back with my wireless clients constantly getting kicked off of their wireless connection.  Eventually I tracked the issue down to a *wired* client running SEP 11.0.4202.75, specifically the firewall (using the default firewall rules).  If I unplugged that wired client, everything was fine, so I tried disabling the SEP firewall service and that solved the problem.  No more "wireless restarts".

After posting my solution to the D-Link forum, others who were having the same problem confirmed that in most of their cases, they also had a wired SEP client with firewall enabled, and disabling the firewall fixed the issue.

One poster mentioned that he disabled the default "block IPV6" rule which seems to have helped... he noticed there was always a flood of logs regarding blocked IPV6 traffic about the same time as the wifi router restarted it's wireless.

Here are some additional details:
- Only wired SEP firewall clients cause the wifi router to do a "wireless restart", every 2-5 minutes
- wifi clients with SEP firewall don't cause it
- disabling SEP's firewall fixes it... no more wireless restarts
- The specific D-Link model most people have is a DIR-655 802.11n, but other models seem to have the same problem, varying firmware versions
- People reporting the issue have varying versions of SEP 11, but it sounded like they're mostly MR2-MR4
- Disabling the default "block IPV6" rule on SEP firewall is reported to help (I haven't tried it myself)

It's very repeatable, so I'm hoping someone might have a solution, or at least a reason/explanation, why a "block IPv6" rule (or whatever else) might cause the D-Link router to restart it's wireless.  Note that it's not restarting the entire router, it just restarts it's wifi services which boots off any connected wifi clients.  It's almost like it detects some perceived attack, DoS, or fault of some kind on the wired side, and it's weird response is to reset wifi clients.

The fault is probably some shared combo of SEP's firewall sending out some strange traffic, and D-Link responding to that in an unusual way... one or the other should be able to fix it, but at this point my curiousity wants to know what exactly is going on.

Any thoughts?

I searched the web and I am finding many reports of spontaneous wireless reboots with D- Link Wireless routers. Seems like a common issue with many different models, and I'm not sure AV/firewalls are always the culprit. Definitely upgrade to the latest firmware. If you have time try disabling the "Block IPV6" rule and let us know the results.

Thanks for the good info,

Thomas

Possibly unrelated, but the block IPv6 rule also blocks GHOST CAST SERVER. We run the server from a notebook and can't ghost or reimage a computer until that rule is killed on the ghost server.
I see a ton of false alerts on this rule daily - it seems that SEP believes a lot of traffic is IPv6 related when we don't use it here, and it's usually an XP workstation to or from Server2003 relationship that triggers the alert and log entries.
My guess is there's a problem with this rule - it's being seen where it doesn't exist.
For us - it's blocking ghost cast server,
It's causing hourly or more frequent alerts in the logs and firewall alert messages (attack messages) about terado/IPv6 when we don't run nor do we have it enabled. All addresses related to the alert are internal - not external facing.

I suggest that there is a problem with this rule or the firewall.
Ghostcast server is not using IPv6
We don't use nor do we have it enabled yet it triggers dozens if not hundreds of alerts every day on INTERNAL networks.
I'm not so sure it's not responsible for some other "wierd" connectivity issues here..............
I think I, too, will simply disable it since I've yet to see, in a full year, a single LEGIT alert to do with IPv6 here. so it's a rule that's served no purpose, but does block legit activity and fill the logs.

Aaron - I agree - it percieves some attack that simply isn't there.................

Hi Aaron, are you still seeing issues with the FW and D-Link AP? Give us an update when you have a moment.

Thanks,
Thomas

Did you find a fix with this Prob i have tried everything with no luck, realy considering not using symantec anymore...

@ VMAS, Have you tried creating an "Allow All" rule in your Firewall policy and test? Place the rule at the top of the policy and see if the issue goes away. Then start moving the rule down the list until the issue reappears.

Thomas

i have disabled the firewall completely but still gets the error.

What is the exact error that you are seeing (please provide a screenshot if possible)? What version of SEP are you running? What is the model number and version of the wireless router?

Thanks,
Thomas

@ VMAS,

Lets move the conversation to the new thread you started.

https://www-secure.symantec.com/connect/forums/sep-and-dlink-dir-855-wireless-restart

ok thx.