Jump to content
key2cs

WPAD Broadcasts [In progress]

Recommended Posts

Hi

 

Some machines seem to be doing lots of WPAD requests / broadcasts, I have removed KES 10.2.1.23 and the problem stops.

 

Running "10.2.1.23 with update a"

 

I have turned "Use Proxy" off in policy and checked on Client machine, but using Wire Shark, I can see it's still happening

 

 

e.g.

 

 

152950 64.863288000 10.0.6.12 224.0.0.252 LLMNR 64 Standard query 0xe5f4 A wpad

152951 64.863379000 10.0.6.12 224.0.0.252 LLMNR 64 Standard query 0x3931 AAAA wpad

 

 

Machines I have checked all seem to have Windows 8 so far.

 

 

Any ideas?

 

Thanks

 

Dan

Share this post


Link to post
Hi

 

Some machines seem to be doing lots of WPAD requests / broadcasts, I have removed KES 10.2.1.23 and the problem stops.

 

Running "10.2.1.23 with update a"

 

I have turned "Use Proxy" off in policy and checked on Client machine, but using Wire Shark, I can see it's still happening

e.g.

152950 64.863288000 10.0.6.12 224.0.0.252 LLMNR 64 Standard query 0xe5f4 A wpad

152951 64.863379000 10.0.6.12 224.0.0.252 LLMNR 64 Standard query 0x3931 AAAA wpad

Machines I have checked all seem to have Windows 8 so far.

Any ideas?

 

Thanks

 

Dan

 

Hi,

 

Could you please clarify did you mention about Wire Shark logs showing up the activity after removing KES?

 

Thank You!

Share this post


Link to post
Hi,

 

Could you please clarify did you mention about Wire Shark logs showing up the activity after removing KES?

 

Thank You!

 

Hi,

 

Broadcasts stopped after removing KES

 

Thanks

 

Dan

Share this post


Link to post

So, with KES installed I get storm of WPAD Broadcasts seen in WireShark, and with it removed Broadcasts stop.

 

Any idea how to stop?, I have Proxy set to off, so it shouldn't be generating them?

 

Thanks

 

 

Share this post


Link to post
So, with KES installed I get storm of WPAD Broadcasts seen in WireShark, and with it removed Broadcasts stop.

 

Any idea how to stop?, I have Proxy set to off, so it shouldn't be generating them?

 

Thanks

 

Hello.

 

Are you using a standalone KES or along with a KSC server?

Do you only install KES, or the Network agent as well (a component of KSC that connects to the server)?

Also, did you choose to participate in KSN? What happens if you turn it off?

Share this post


Link to post

Sorry to jump onto this thread but we are also seeing this. I am currently gathering information/trying to replicate in a virtual environment. Once I have some decent info I will update this thread if that is OK?

Share this post


Link to post
Sorry to jump onto this thread but we are also seeing this. I am currently gathering information/trying to replicate in a virtual environment. Once I have some decent info I will update this thread if that is OK?

 

Hi,

 

Yes, please update us with new info.

 

Thank You!

Share this post


Link to post

We are having the same issue. This took our VoIP system completely down due to the amount of broadcast traffic on our Data VLAN. We had to uninstall this off all systems and the problem went away. Please update us asap. The Windows 8 machines are much worse than others

Share this post


Link to post
We are having the same issue. This took our VoIP system completely down due to the amount of broadcast traffic on our Data VLAN. We had to uninstall this off all systems and the problem went away. Please update us asap. The Windows 8 machines are much worse than others

 

Hello.

 

Please let us know if you are able to reproduce this issue. What software versions are you using? Is KSN enabled?

 

Thank you.

Share this post


Link to post

We are on the same exact version as the original poster. 10.2.1.23 update A. we were seeing insane amounts of traffic on our switch. (20 million packets a minute per port). After mirroring one of the offending ports, and doing a wireshark capture I was able to see broadcast queries for A wpad AAAA wpad. I have the wire shark capture available. The worst offenders are windows 8.1, turning off the proxy in the KES Client does not stop the traffic entirely, but does reduce the amount by about 25%. If you need the wireshark capture let me know and I can get that to you. We still have a few clients still running on the network with this same behavior.

 

 

P.S This started about 4 weeks ago, right around the time we updated to 10.2.1.23 update a. It's possible it was happening before then but the phones did not start blipping out until 4 weeks ago which prompted us to start figuring out what was going on.

Edited by willthiswork89

Share this post


Link to post
We are on the same exact version as the original poster. 10.2.1.23 update A. we were seeing insane amounts of traffic on our switch. (20 million packets a minute per port). After mirroring one of the offending ports, and doing a wireshark capture I was able to see broadcast queries for A wpad AAAA wpad. I have the wire shark capture available. The worst offenders are windows 8.1, turning off the proxy in the KES Client does not stop the traffic entirely, but does reduce the amount by about 25%. If you need the wireshark capture let me know and I can get that to you. We still have a few clients still running on the network with this same behavior.

P.S This started about 4 weeks ago, right around the time we updated to 10.2.1.23 update a. It's possible it was happening before then but the phones did not start blipping out until 4 weeks ago which prompted us to start figuring out what was going on.

 

Hello,

could you install SP 1 ?

Thank you.

Share this post


Link to post

Our EPS server is running version 10.1.249. it looks like updates run every day, is there something special that needs to happen to pull down SP1?

Share this post


Link to post
Our EPS server is running version 10.1.249. it looks like updates run every day, is there something special that needs to happen to pull down SP1?

 

Could you install KSC10 SP1 on clean system and connect 1 KES10 SP1 client ?

Thank you.

Share this post


Link to post
Could you install KSC10 SP1 on clean system and connect 1 KES10 SP1 client ?

Thank you.

 

 

We have updated to SP 1, installing in on computers now. I will verify the WPAD broadcast issue is eliminated shortly.

 

Share this post


Link to post

Hello,

 

We are also seeing the same issue on all our clients and servers globally. We have the following installed:

 

KSC 10.2.434

KEW 10.2.1.23 and mostly 10.2.2.10535

KAV EE 8.0.1.923

KAV 3.2.0.381

 

The effect is worse in one of our offices that runs Cisco switches with storm control enabled - the switch shuts down the port and stops connectivity for the client.

 

Any update on this issue is appreciated.

 

Thanks

Share this post


Link to post
Hello,

 

We are also seeing the same issue on all our clients and servers globally. We have the following installed:

 

KSC 10.2.434

KEW 10.2.1.23 and mostly 10.2.2.10535

KAV EE 8.0.1.923

KAV 3.2.0.381

 

The effect is worse in one of our offices that runs Cisco switches with storm control enabled - the switch shuts down the port and stops connectivity for the client.

 

Any update on this issue is appreciated.

 

Thanks

 

Hello.

 

Please clarify what products exactly are known to cause the issue in your environment, and how they are linked to the issue (problem happens on every single PC that has any KL product from the list installed, and is resolved when they are removed? Please specify the reproduction scenario).

 

Thank you.

 

Share this post


Link to post
Hello.

 

Please clarify what products exactly are known to cause the issue in your environment, and how they are linked to the issue (problem happens on every single PC that has any KL product from the list installed, and is resolved when they are removed? Please specify the reproduction scenario).

 

Thank you.

 

All the products listed above display this behaviour. Once the product is uninstalled, the broadcasts stop. It is possible to apply a policy update to Windows to stop this, but why does the installation of Kaspersky make this happen?

Share this post


Link to post
All the products listed above display this behaviour. Once the product is uninstalled, the broadcasts stop. It is possible to apply a policy update to Windows to stop this, but why does the installation of Kaspersky make this happen?

 

Hello,

do you have mixed environment or only SP1 ?

Thank you.

Share this post


Link to post
Hello,

do you have mixed environment or only SP1 ?

Thank you.

 

We have a mixed environment. Most client machines are on SP1 of Endpoint Protection 10, but we also see this behaviour with server versions as well. Note, we see this on Windows 8.1/2012R2 machines but not Windows 7/2008R2 machines. We are most likely going to implement a block via group policy, but would like to understand if there's an issue with the Kaspersky software.

 

Thanks

Share this post


Link to post
All the products listed above display this behaviour. Once the product is uninstalled, the broadcasts stop. It is possible to apply a policy update to Windows to stop this, but why does the installation of Kaspersky make this happen?

 

Are you sure that the listed products are exactly what is causing this issue? E.g., KAV WSEE does not have network components at all.

Please check whether the anti-virus itself, or the Network Agent is causing this. What do you uninstall exactly to make this stop?

 

Thank you.

Share this post


Link to post
Are you sure that the listed products are exactly what is causing this issue? E.g., KAV WSEE does not have network components at all.

Please check whether the anti-virus itself, or the Network Agent is causing this. What do you uninstall exactly to make this stop?

 

Thank you.

Hi Kirill, AV is uninstalled and the Network Agent remains, so that isnt the cause.

Share this post


Link to post
Hi Kirill, AV is uninstalled and the Network Agent remains, so that isnt the cause.

 

Hi,

 

Maybe I miss this info but could not see anything related to disabling KES protection components. Does it affect the issue at all?

 

Thank You!

Share this post


Link to post
Hi,

 

Maybe I miss this info but could not see anything related to disabling KES protection components. Does it affect the issue at all?

 

Thank You!

 

Hi Kirill,

 

We have a support case open on this now and are providing the engineer with the relevant trace files for analysis. I'll post the results of this once I have them.

Share this post


Link to post
Hi Kirill,

 

We have a support case open on this now and are providing the engineer with the relevant trace files for analysis. I'll post the results of this once I have them.

 

 

Hello.

 

Please also give us the number of Your incident?

 

Thank You.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.