EPA scan Fails. Error: Failed sending epaq

EPA scan Fails. Error: Failed sending epaq

book

Article ID: CTX341766

calendar_today

Updated On:

Description




Error: Failed sending Epaq

We will see following error in plugin logs:

2022-01-14 07:03:05.860 | Tid: 10876 | ERROR   | ns_start_epa | 1030 | Failed sending GET epaq. Return code: -4
2022-01-14 07:03:05.860 | Tid: 10876 | DEBUG   | ns_start_epa returning Failed sending epaq

Following message will be seen in packet capture:

Resolution

The max header size is obtained from attached HTTP profile. verify this behaviour by increasing the length from default of 24820 (==17*1460) to a larger value
The max header length can be increased using " set httpProfile <profile name> -maxHeaderLen <length val>".
ex) set httpProfile nshttp_default_strict_validation -maxHeaderLen 36500


So how to identify, ideal maxHeaderLen for your issue:

From logs "ns_send_epaqs_expr: csec: len:19016” , gives us the security expression length in bytes(sample below).

Sep 23 17:27:56 <local0.debug> 10.10.0.1 09/23/2021:11:57:56 GMT 10_10_0_1 0-PPE-0 : default SSLVPN Message 786 0 :  "ns_send_epaqs_expr: csec: len:19016,

This is base64 encoded , so length of header required will be minimum 19016*4/3 = 25354 bytes. The default profile has length 17*1460 = 24820 bytes . This is the reason the scan is failing.

You can increase the value to 20*1460 = 29200.

This should work , else you can increase further to 21*1460 and so on…
 

Problem Cause

The issue is happening because while constructing response for /epaq request , the limit for max header length is exceeded for the default http profile.

This is because the customer has a large set of  MAC addresses  in EPA rules.

Powered by Wolken Software