I cannot use Norton LiveUpdate when is activated squid proxy

laotse · Jun 30, 2009, 12:06 AM

Hello,
I'm using pfsense 1.2.2 with squid 2.6.21_10 in transparent mode. When I deactivate the proxy, Norton LiveUpdate connects to liveupdate.symantecliveupdate.com and downloads the updated files successfully.

This is the wireshark capture:

11 192.168.1.218 209.8.114.138 TCP 55785 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
12 209.8.114.138 192.168.1.218 TCP http > 55785 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
13 192.168.1.218 209.8.114.138 TCP 55785 > http [ACK] Seq=1 Ack=1 Win=64240 [TCP CHECKSUM INCORRECT] Len=0
14 192.168.1.218 209.8.114.138 HTTP GET /minitri.flg HTTP/1.1
15 209.8.114.138 192.168.1.218 TCP http > 55785 [ACK] Seq=1 Ack=273 Win=6432 Len=0
16 209.8.114.138 192.168.1.218 HTTP HTTP/1.1 200 OK (text/plain)
18 192.168.1.218 209.8.114.138 HTTP GET /norton$202009$20ips$20definitions_microdefsb.curdefs_symalllanguages_livetri.zip HTTP/1.1
19 192.168.1.218 209.8.114.138 TCP 55786 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
20 192.168.1.218 209.8.114.138 TCP 55787 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
21 192.168.1.218 209.8.114.138 TCP 55788 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
22 192.168.1.218 209.8.114.138 TCP 55789 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
23 192.168.1.218 209.8.114.138 TCP 55790 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
24 192.168.1.218 209.8.114.138 TCP 55791 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
25 192.168.1.218 209.8.114.138 TCP 55792 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
26 192.168.1.218 209.8.114.138 TCP 55793 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
27 192.168.1.218 209.8.114.138 TCP 55794 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
28 192.168.1.218 209.8.114.138 TCP 55795 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
29 192.168.1.218 209.8.114.138 TCP 55796 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
30 192.168.1.218 209.8.114.138 TCP 55797 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
31 209.8.114.138 192.168.1.218 TCP http > 55786 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
32 209.8.114.138 192.168.1.218 TCP http > 55787 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
33 209.8.114.138 192.168.1.218 TCP http > 55788 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

But when if the proxy is activated, then Norton LiveUpdate is unable to download the updated files. This is the capture:

15 192.168.17.218 209.8.114.155 TCP 56060 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
16 209.8.114.155 192.168.17.218 TCP http > 56060 [SYN, ACK] Seq=0 Ack=1 Win=65228 Len=0 MSS=1460
17 192.168.17.218 209.8.114.155 TCP 56060 > http [ACK] Seq=1 Ack=1 Win=64240 [TCP CHECKSUM INCORRECT] Len=0
18 192.168.17.218 209.8.114.155 HTTP GET /minitri.flg HTTP/1.1
19 209.8.114.155 192.168.17.218 TCP http > 56060 [ACK] Seq=1 Ack=273 Win=65428 Len=0
20 209.8.114.155 192.168.17.218 HTTP HTTP/1.0 200 OK (text/plain)
21 192.168.17.218 209.8.114.155 TCP 56060 > http [ACK] Seq=273 Ack=375 Win=63866 [TCP CHECKSUM INCORRECT] Len=0

Then the Norton sends this error : "Unable to locate a valid Norton LiveUpdate server. Please run a full system scan and try again."

It's clear that Norton has problem with the proxy… Is it possible to bypass the proxy only for connections to liveupdate.symantecliveupdate.com? or Does anyone have any idea for solve this?

Thank you in advance.

mhab12 · Jun 30, 2009, 3:33 PM

We have several machines that use Live Update and all of them are behind our squid proxy. Can you try adding the IP of the trouble machine to the 'unrestricted IPs' list and see what happens?

jahonix · Jun 30, 2009, 3:45 PM

At the Proxy server | Cache management tab you can enter IPs that shouldn't be cached. "Enter each domain or IP address on a new line that should never be cached."
Try the Symantec URL in that field as well.

laotse · Jun 30, 2009, 5:41 PM

Hello mhab12, jahonix thanks for your reply

Well… I tried your ideas and I continue having the same problem.

I found in the Norton's Forum (http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=42323&view=by_date_ascending&page=2) that the problem seems to be caused by a squid's HTTP 1.1 incompatibility. Someone's reply says :

–-----------------------------------------------------------------------
I run squid on my home firewall/gateway and was bitten by this "feature" as well.
At first I thought I was going to have to make a proxy exception for the liveupdate servers, but I tried enabling http 1.1 support on squid. It works great! LiveUpdate now runs without error.
I'm running Squid 2.7STABLE3 on Debian Lenny. I simply added "http11" to the "http_port" line in squid.conf.
Mine now looks like this:
http_port 3128 transparent http11

I can't try this because the "http11" option its only present in Squid 2.7, and pfsense 1.2.2 runs with squid 2.6.21_10

Do you think this is the solution?, If yes, Do you know how to update the squid version manually?

Again, thank you to all.

mhab12 · Jun 30, 2009, 7:55 PM

Maybe it's time somebody updates the squid package to 2.7?

laotse · Jul 1, 2009, 5:48 PM

Yes mhab12 I think so too.

OK, Norton has published a FIX for those who have problems with proxy and Norton LiveUpdate.

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090320152130EN

See you around.

chudy · Jul 3, 2009, 4:02 AM

hmn. you can try cache-boy

$conf .= "http_port 127.0.0.1:80 transparent http11\n";