Showing results for 
Search instead for 
Did you mean: 

Problem uploading files with MAG4600

Occasional Contributor

Problem uploading files with MAG4600

Hi, I've a little problem with any kind of file upload.

We have 2 MAG 4600 in HA cluster with SA software 7.1R4.0.

We have some internal custom sites that have an Apache Commons FileUpload function to get files from users.

If the file is just a bit big (more then 1 MB but it vary) the upload interrupt and we get an internet explorer error. Testing with the PC directly connected to the internet connection switch all works correctly so as it work if I do the file upload connecting from the internal network.

I've done a test publishing the sites directly on internet and the upload go without a problem (tested with a 14 MB file).

I've also sone a test uploading the same 14 MB pdf file to a windows share with Juniper and it's working from local LAN but not working from Internet.

We also seems to have some strange behaviour with RDP connection passing through MAG appliances: the connection is broken and the RDP client reconnect sometimes 4-5 times in 1 minute.

Our internet connection is cone with 2 routers each with 40 Mbit link in Load Balancing.MAG are connected in a DMZ network on our Checkpoint Firewall (tested with IPS disabled/excluded with no luck).

We changed the configuration so now it's only an HA configuration. We tried changing MTU to less then 1500 on the router, on MAG and on client.

The problem seems to happen only with MAG appliances (we have many other kind of connection that are not affected at all).

Anyone have any idea of what can cause this strange behaviour?

Frequent Contributor

Re: Problem uploading files with MAG4600


This would clearly need a TCP Dump from your IVE which needs to be analyzed.

My suggestion to to open a JTAC ticket and provide the following:

1) TCP Dump on the failure session a file.

2) TCP Dump / Wireshark capture of a successful session of the same file used on the failure session.

(Internally withou the IVE)

3) Time stamp of both failure session and successful uploads.

If you can attach a failure session TCP Dump from the IVE to this thread (if allowed), I may be able to help you.


Occasional Contributor

Re: Problem uploading files with MAG4600

Hi Jacob, I'll try to get some information in the afternoon and to do some tcpdump collection. I've just done one tcpdump on the internal interface of the mag and there's no communication with the ip where the share resides(I've done a trace from when I click UPLOAD to the error, It's probably correct because I think the IVE will cache locally the file and then save it to the share).

You think that the problem is between IVE and the file share/web server ?

It seems something related to some kind of stange timeout. It happen only when connecting from Internet and passing through routers (it's not happening if connected directly to the Internet switch where routers and firewall are connected).

I have a demo SA6500 from our provider and just setted up with the same version 7.1R4.0 and the same share and it works correctly (it's configured exactly as the MAG 4600, with ip address on the same VLANs, the only difference is that the MAG4600 are 2 in HA cluster while the 6500 is a single appliance) .

I've opened a case yesterday (you need the case number?)



Occasional Contributor

Re: Problem uploading files with MAG4600

One more information. I was able to replicate the problem on the cluster also on internal network uploading a bigger file (470 MB). After some seconds the upload stopped with the same error so it seems that the problem is some kind of timeout involved.

Occasional Contributor

Re: Problem uploading files with MAG4600

I think there's something strange, today I've done some more tests and it seems that the clustered internal/external IP address is only working on one node (node1), failing over the IP they don't even answer to ping. I've also some virtual ip address on the internet side and they're correctly working also failing over the cluster.

Doing a test and trying to upload a file directly to the "active" and "passive" node bring this results:

active node: Transfer failing

passive node: Transfer successfull

So it seems there's something strange on the HA side.

The 2 nodes are connected to interface on 2 different switch.The 2 different switch are connected between them with a trunk of 2 cable if I remember well (VLAN are allowed on the trunk).

Internal interface are on a VLAN and external on another VLAN.

VLAN end on a checkpoint firewall doing the routing and NAT to internet.

Physical interface are always pingable/reachable and works.

External Virtual Ports are alway pingable (and work).

Virtual IP (internal and external) are only pingable when they are on node 1.

Anyone have a suggestion? I think there's something wrong but I cannot real understand what...

Frequent Contributor

Re: Problem uploading files with MAG4600

Any chance the Checkpoint is not updating up the Arp/MacAddr for the VIP when switching? So even when Node 2 is the active node, the checkpoint is still sending the traffic to Node 1, who ignores it since he's not the active device?

Occasional Contributor

Re: Problem uploading files with MAG4600

it seems that the firewall is not getting the MAC address at all... i get an (incomplete) on the arp table for the virtual ip after i switch the active node to node 2 but I don't know what this mean.

I suppose if the table was not updating correctly I should see the old MAC address in the ARP table of the firewall.

Just after I switch the node back I see the correct MAC address.

Occasional Contributor

Re: Problem uploading files with MAG4600

At the end we discoveder what seems to be the cause of the problem. It's not the Cluster or the active node.

Our MAG cluster is configured with it's cluster IP address and some virtual ports (associated to different certificates).

Users connect to those virtual ports for different services. One is used by normal user that log into the SA to upload files (and they have the described problem with upload). Another Virtual Ports is configured to "require" certificate authentication and we use it for a virtual host making Activesync proxy to our exchange.

It seems that this "requirement" for a certificate is influencing the way the other virtual port works. When we have the virtual port for activesync in those requiring a certificate the file upload fail. If we remove the virtual port so that it will not require a certificate everything works correctly, file can be uploaded and RDP works as

Anyone had problem with virtual port certificate required to log in into the SA interfering with other services?