topic Re: About "CPNotEnoughDataForRuleMatch" and connection reset in Firewall and Security Management

About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Tue, 04 Feb 2025 15:47:45 GMT

Hi there,

I've (partly) asked about this before (https://community.checkpoint.com/t5/Security-Gateways/quot-CPNotEnoughDataForRuleMatch-quot-and-quot-Connection/m-p/230551/thread-id/44356), but now I have another related question regarding this behvavior.

I have a service that connects to an external ip address, but every time the connection gets terminated by a reset from the destination. The log in my firewall says "Accept", however, it is getting "terminated before the Security Gateway was able to make a decision: No SSL applicative data." ("CPNotEnoughDataForRuleMatch").

As I got told in my other post (see link above) the behavior is by design and expected, however, I do have a question to why it happens.

The connection in question gets HTTPS Inspected and the log is as follows:

And the "Accept" ("CPNotEnoughDataForRuleMatch") log looks as below:

I tried to establish the connection with a Wireshark running on the client (not the firewall) and as far as I can see the handshake completes, but then it gets disconnected by a reset from the destination:

I have the same service on another endpoint WITHOUT HTTPS Inspection and there it connects fine.

So my question is: Is it possible that the packet somehow gets "malformed" in the HTTPS Inspection process and therefore the destination sends a reset back to us and kills the connection? Or is something different going on? I really can't figure it out!

Looking forward to your comments 🙂

Thanks!

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

Lesley — Wed, 05 Feb 2025 11:51:09 GMT

The error states there is no data in the connection, that is true according to the capture so the error is valid.
You state without https inspection connections it works so we should focus on that. Could start is to see if the chosen encryption ciphers are accepted on both sides. In the capture the source is the fw right? That is starting with syn?

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Wed, 05 Feb 2025 16:48:10 GMT

No, that's the client. I haven't done a capture on the firewall.

It seems like the Handshake and thus cipher suites goes through and it is after that, that the destination endpoint sends a reset packet. I just can't figure out why.

And again if I bypass HTTPSi it works, so my theory was that it had something to do with that...

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Wed, 05 Feb 2025 17:29:01 GMT

Check out below links, hope it helps. In short, this is literally never CP issue, as 3 way handshake is not completing, but its not because of the fw, but rather the fact that server did not send back syn-ack.

Andy

https://community.checkpoint.com/t5/Security-Gateways/quot-CPNotEnoughDataForRuleMatch-quot-and-quot-Connection/m-p/230551#M44356

https://community.checkpoint.com/t5/General-Topics/When-does-CPEarlyDrop-occur-with-ACCPET-action/m-p/216402#M35976

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Thu, 06 Feb 2025 11:47:26 GMT

I just don't understand why it then works if I bypass HTTPSi... 😞

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

PhoneBoy — Thu, 06 Feb 2025 12:02:05 GMT

Like @Lesley said, you should check from the gateway (specifically from the gateway to the remote site) with tcpdump.

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Thu, 06 Feb 2025 12:16:21 GMT

But then it sounds like its httpsi issue...

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Thu, 06 Feb 2025 20:42:55 GMT

Now that I think about it, say if you have httpsi enabled, you can always add bypass rule for affected IPs/destinations.

Andy

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

Lesley — Thu, 06 Feb 2025 18:40:13 GMT

Focus on checking HTTPS inspection part, not the CPNotEnoughDataForRuleMatch error.

HTTPS inspection can go wrong between client <-> FW or FW <-> remote server

Mismatch in ciphers but also CA that is not up to date on FW.

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Fri, 07 Feb 2025 09:02:38 GMT

Yeah, you're right.

Are there any way of troubleshooting that myself or should I involve TAC? And is it okay to bypass destinations that causes problems? Obviously, it wont perform HTTPS Inspection on traffic between whatever source and destination hosts I have defined, but is it a known issue that HTTPSi in some situations will break the connection? It is not a general problem, but I do experience it occasionally.

Thanks.

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Fri, 07 Feb 2025 12:13:11 GMT

Yea, you said it exactly how I would put it. Not a generic problem, but it happens from time to time. Well...if destination causes problems, then I would NOT bypass it, better to involve TAC. However, if it does not cause issues, I would do it.

Andy

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Fri, 07 Feb 2025 14:55:00 GMT

Well, it happens all the time for this specific destination and for now I have just created a bypass rule for it. I will consider getting TAC involved.

Thanks 🙂

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Fri, 07 Feb 2025 14:57:05 GMT

sounds good!

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Wed, 12 Feb 2025 01:11:31 GMT

Hey @JPR

Any updates from TAC?

Andy

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Wed, 12 Feb 2025 09:06:10 GMT

Hey,

Thanks for asking, but haven't gotten so far yet. Already have a couple TAC cases regarding some other stuff, so just waiting on those to get done before I open new ones 😉

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Wed, 12 Feb 2025 12:04:01 GMT

No worries, just keep us posted when you do.

Andy

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Mon, 17 Feb 2025 14:57:11 GMT

I haven't been in contact with TAC, however, I tried enabling the extra logging as explained here: https://support.checkpoint.com/results/sk/sk113479

When doing that and then telnetting to an ip on 443 that gives me the "CpNotEnoughDataForRuleMatch" I get this expanded explanation:

I'm not sure I fully understand what it means, even after reading the explanation in the aforementioned SK.

Then I tried disabling rule 153 it mentions as a first possible rule match, but then it just says the next rule (154) is the first possible rule match. What those rules have in common, though, is that the source is a Network Group that consist of various hosts, networks and other network groups.

So to try to figure out if that particular group was the culprit, I created a new rule above the first instance where that group was used as source now with a single host as source and that particular ip (the one that otherwise fails with "CpNotEnoughDataForRuleMatch") as destination and action as Accept - and now it works, no error or anything!

It seems as that Network Group is what is causing this issue, but I can't figure out why. Do any of you have an idea as to why that could be the case? It is a group that are being used in many rules and generally it doesn't seem to cause any issues.

Looking forward to your ideas! 🙂

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Mon, 17 Feb 2025 15:02:36 GMT

Its essentially the same thing 🙂

Its long way of saying 3 way handshake is NOT completing, but its not the fw issue.

Andy

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

JPR — Mon, 17 Feb 2025 15:08:01 GMT

Ok, but how do you conclude it isn't a fw issue?

If that host is a member of that network group the conncetion fails with "CpNotEnoughDataForRuleMatch". If I make a specific rule with that host (not part of a group), it works, and I don't get the "CpNotEnoughDataForRuleMatch". To me it really does seem like a fw issue, but there might be something I don't get 🙂

Re: About "CPNotEnoughDataForRuleMatch" and connection reset

the_rock — Mon, 17 Feb 2025 15:10:19 GMT

How do I know its not a fw issue? Valid question...my answer? Very easy 🙂

Here is how...when you see that log, do tcpdump and/or fw monitor and follow the packet. 100% it will show you that connection is going through the fw, but its not coming back, meaning the other side is NOT responding with syn-ack.

Andy