Endpoint Protection

I recently switched from a linksys WRT54G to a WRT106N router and now I occationally have traffic blocked from my ip address, 192.168.1.1, due to the IPv6 rule even after this rule has been disabled. This effectively shuts down my internet access. The only solution I have found is to disable NTP. This did not happen with my old router. The log says it is from remote port 0, local host 0.0.0.0, IPv6 [type=0x86DD], etc. Please let me know if there is a solution other than disabling NTP every time.

Do you have IPv6 enabled in the router? If so I would disable it, its possible the router is causing the communication that is making it thing the router is a attack. I would also look into if there is an update to the firmware.

There are 2 IPV6 rules..Block IPV6 and block IPV6 over IPV4 have removed both of them ?

I had just the one rule dealing with IPv6.

Firmware was updated and I wasn't able to figure out how to disable IPv6 through the router. I was able to disable IPv6 through the Network and Sharing Center in Windows 7 using this website as a guide. So far so good (although it has only been a few minutes). Thank you for your help. I will update if I have any more trouble.

IPv6 is disabled via control panel settings and I am still occationally getting my internet traffic blocked. Sometimes the log says its because of the IPv6 rule and sometimes it doesn't. Either way when I disable the NTP the internet works fine.

What version of SEP are you running? Is this a managed or unmanged client? Is this happening with wired, wireless or both?

Have you tried performing a factory reset?

Version 11.0.600.550. It is a managed client, happens with both wired and wireless and no I haven't performed a factory reset. It began happening shortly after I installed the router. It also happened with an ASUS router that I ended up returning.

Email me the client traffic logs and we can take a look at what might be going on here.

If you can, provide the timeframe of when you experienced the connectivity issue.

Can you confirm that it's 10.0.6000. and NOT 11.0.600?

There is a difference, and you want to be on the 6000 build.

I am having the same issue. And I cant even get the system to log the event either. It only suspends my IP Address for 10 minutes when I try and use Google Chrome though.

After looking at your logs, I suspect your OS is sending IPv6 traffic. Do you have an XP system in your network that you can test with?

The Symantec firewall supports IPv4 only. The default Symantec firewall rule base, however, contains a rule that blocks all IPv6 traffic.

Warning:
Do not delete the rule that blocks IPv6. Do not change its filter action from Block to Allow.

http://seer.entsupport.symantec.com/docs/330761.htm

FYI,  Linksys makes no mention of IPv6 in the user guide.

http://homesupport.cisco.com/en-us/wireless/lbc/WRT160N

I do not have an XP system to test with and I have already deleted the IPv6 rule.

Can you check the traffic log on the client and check which rule exactly is blocking this and what all is it blocking

SEP GUI- view logs - Network Threat Protection -Traffic Log.

Vikram, the traffic is being blocked by the Block IPv6 rule name.

This is the last traffic log entry:

5/17/2010 2:09:34 PM    Blocked    10    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    (source MAC)  0    0.0.0.0    (destination MAC)    0       (user)   (user domain)   (location)    1    5/17/2010 2:09:12 PM    5/17/2010 2:09:12 PM    Block IPv6   

The rule is the last value, 'Block IPv6,' which I deleted a while ago.

Well..if the rule was deleted then something is wrong..

You said it is a managed client..So did you remove the rule from the SEPM manager ? Did the client update that rule change ?

Are you able to make rule change by going to SEP GUi- Network threat Protection - OPtions- Configure Firewall Rule ?

If it is just on 1 Clients can un-install Re-install the client or atleast the Network Threat Protection Component ?

I deleted the rule through the options in the NTP component. I am not sure if the client updated the rule change. If it is something I have to do manually, then no.  I have not tried to un-install and re-install yet.  I did try taking a screen cap of my NTP rules but it may be too blurry to see. Is it recommended that I un-install and re-install?

If even after deleting the rule ..that rule is blocking the traffic then NTP install might have got messed up..
I would advice un-install and re-install..

I am unable to un-install SAV or any components because it is password protected by my school system managers. My current work-around solution is to disable NTP when I am at home and enable it at school. If anyone has another solution please let me know.

In That case you can contact your SEP Admin at your school and tell him to re-install it for you...