Jump to content
Welcome to our new Citrix community!

Qualys scan affects NSIP making it unresponsive


Recommended Posts

When we scan NSIPs of VPXs (on top os SDX) and MPXs, the device becomes unresponsive for a while. It looses ping from NMS and we get alerts.
We have tried to lower the amplitude of qualys scans and doesn't help.

Do we know, if scanning SNIP, can help in this case ?

 

As per TAC, the managemnt place has by design limited resources and we are exhausting it during scans.

Link to comment
Share on other sites

I had this exact problem when Qualys scanned my appliances.  It was killing existing SSL sessions through the appliance and disrupting traffic.  I made our Qualys administrator do the scans at a scheduled time when traffic was much lower on the VPX.  The Qualys admin also was able to change the scan settings so it didn't scan everything all at once and took a longer time to complete the scan.  It seemed to solve my issues.   They have settings within Qualys to dial back the intensity when the scans happen.

Link to comment
Share on other sites

  • 3 months later...
On 6/21/2022 at 8:41 PM, Josh Slaney said:

I had this exact problem when Qualys scanned my appliances.  It was killing existing SSL sessions through the appliance and disrupting traffic.  I made our Qualys administrator do the scans at a scheduled time when traffic was much lower on the VPX.  The Qualys admin also was able to change the scan settings so it didn't scan everything all at once and took a longer time to complete the scan.  It seemed to solve my issues.   They have settings within Qualys to dial back the intensity when the scans happen.


Josh, was it killing data plane traffic, or management plane traffic?

In my case, I have seen this on all forms of devices - SDX, MPX, VPX. We tried lowering the amplitude of Qualys scans but it was not much of use.

Does Qualys do an authenticated scan on your devices ?

Link to comment
Share on other sites

They do not do authenticated scans on my devices.   I had them schedule the scans in the wee early morning hours and scale back the intensity of the scans moving forward.  The messages I was seeing on the appliance when they ran the scans were this:
is_vpns_attack_request Dropping invalid HTTP request

My logs were spammed with them when we were seeing the disruptions.  Since I told them to schedule the scans at periods of low traffic I haven't had any complaints.  That doesn't mean the disruption still isn't happening, but its happening during times of low usage.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...