topic Re: unknown drops in Firewall and Security Management

unknown drops...fwmultik_process_f2p_cookie_inner

Wolfgang — Tue, 22 Apr 2025 09:03:02 GMT

We see drops via "g_fw ctl zdedug drop" for connections between two proxies. We had some performance problems with several vidoconferencingsystems but we are not sure if this will be related.

Maybe someone saw this errors in the past and can be explain.

[1_01]@;2687694620.9248412;[vs_3];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:50878 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_01]@;2687694622.9248413;[vs_3];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:50878 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_01]@;2687694624.9248414;[vs_3];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:50878 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_01]@;2687694626.9248415;[vs_3];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:50878 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_01]@;2687815396.9322859;[vs_3];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:34220 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE
[1_01]@;2687815397.9322860;[vs_3];[tid_2];[fw4_2];fw_log_drop_ex: Packet proto=6 Proxy_01:34220 -> Proxy_02:8080 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE
[1_03]@;2702488823.33144368;[vs_3];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_03:48020 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_03]@;2702488825.33144369;[vs_3];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_03:48020 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_03]@;2702488827.33144370;[vs_3];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_03:48020 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_03]@;2702488829.33144371;[vs_3];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_03:48020 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER
[1_01]@;2687815456.9322913;[vs_3];[tid_5];[fw4_5];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_01:34422 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE
[1_01]@;2687815457.9322914;[vs_3];[tid_5];[fw4_5];fw_log_drop_ex: Packet proto=6 Proxy_01:34422 -> Proxy_02:8080 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE
[1_03]@;2702488918.33144405;[vs_3];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 Proxy_02:8080 -> Proxy_03:48024 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE
[1_03]@;2702488919.33144406;[vs_3];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=6 Proxy_03:48024 -> Proxy_02:8080 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: MUX_PASSIVE

TAC case is already open to investigate, but no more information right now.

Re: unknown drops

Chris_Atkinson — Tue, 22 Apr 2025 09:02:12 GMT

Which gateway version & Jumbo, is UserCheck enabled here out of interest?

Re: unknown drops

Wolfgang — Tue, 22 Apr 2025 09:05:58 GMT

R81.20 take 89, UserCheck is active with block page for malicious content.

Re: unknown drops...fwmultik_process_f2p_cookie_inner

G_W_Albrecht — Tue, 22 Apr 2025 09:44:42 GMT

sk177610: Security Gateway generates logs with the action "Redirect", although the Access Control rule is configured with the action "Drop" and with the "Blocked Message - Access Control"

sk164972: Websites time out instead of redirecting to UserCheck

Re: unknown drops...fwmultik_process_f2p_cookie_inner

the_rock — Tue, 22 Apr 2025 12:26:38 GMT

For what its worth, because I feel like I always have to say this now, AI answers should be taken with grain of salt, below is what AI copilot gave me and when I search for this in KB, same sk @G_W_Albrecht provided came up (2nd one).

Andy

************************

The error messagefwmultik_process_f2p_cookie_inner Reason: Passive Streaming Layer Drop: MUX_PASSIVEindicates that the packet was dropped by the Passive Streaming Layer (PSL) due to a MUX_PASSIVE reason.

Explanation:

Passive Streaming Layer (PSL): This is an infrastructure layer in Check Point's security architecture that reassembles TCP packets into a protocol message. It ensures that only valid packets are allowed to proceed to their destinations by reordering packets and allowing inspection on the packets.
MUX (Multiplexer): This layer works between the Streaming layer and the Applications layer. It can choose to work over PSL (passive streaming) or CPAS (active streaming).

Possible Causes:

Invalid or Malformed Packets: The packet might be malformed or invalid, causing the PSL to drop it.
Performance Issues: There might be performance issues on the Security Gateway, causing delays or drops in packet processing.
Connectivity Issues: Network connectivity issues between the end-user computers and the Security Gateway might lead to packet drops.

Recommended Actions:

Examine Network Connectivity: Check for any network connectivity issues between the end-user computers and the Security Gateway.
Check Security Gateway Performance: Look for any performance issues on the Security Gateway that might be causing delays or drops in packet processing.
Review Logs: Analyze the logs to identify any patterns or specific conditions under which the packets are being dropped.

For more detailed information, you can refer to the related solutions:

sk109814 - What does "Redirect" action mean in Anti-Bot/Anti-Virus?

If the issue persists, consider opening a ticket with Check Point Support Center for further assistance.