topic Re: sysctl net.ipv4.tcp_timestamps in Firewall and Security Management

sysctl net.ipv4.tcp_timestamps

Mikel_Aanstoot — Wed, 02 Oct 2019 09:36:18 GMT

Hi, we see on a checkpoint 5900 R80.10 cluster when Mac and Linux clients are going to certain websites that those websites load very slow or not at all. In tcpdump traces we see a lot of retransmission and dup ack's stalling the TCP session. In Windows we do not see this behaviour at all. We finally found this to happen when on the client this is set: net.ipv4.tcp_timestamps=1. In Linux you can disable this and then we do not see this issue but on Mac since El Capitan you can not disable this anymore. When you change this setting on a Windows client by netsh int tcp set global timestamps=enabled than you have the same behaviour. When using a proxy server for Mac clients with the tcp timestamps setting disabled also this problem disappears.

When the Mac and Linux clients are connected to a 1490 SMB this behaviour does not appear, so it is the combination client, Mac & Linux with net.ipv4.tcp_timestamps=1 set and our Checkpoint 5900 with R80.10 (although we also saw this on a 12210 with R77.x in 2016 when Mac went to Yosemite. We could only replicate it then when the Checkpoint had a high load and this behaviour disappeared after some tweaking with the multiple processors and added more memory.)

On the gateway policy we disabled all IPS, TCP Inspection settings but problem persists. Anybody else aware of some setting so the checkpoint works good with clients with tcp timestamps enabled ?

kind regards,

Mikel Aanstoot

Re: sysctl net.ipv4.tcp_timestamps

G_W_Albrecht — Wed, 02 Oct 2019 12:20:20 GMT

What about disabling it following sk62700: How to disable TCP timestamps (RFC 1323) ?

Re: sysctl net.ipv4.tcp_timestamps

Mikel_Aanstoot — Thu, 03 Oct 2019 08:42:13 GMT

Hi, thanks for the reaction. According to the note below the SK: Note: This change will only be applied to local connections (connections where the source or destination is the gateway).

So not sure if this will work ?

kind regards,Mikel

Re: sysctl net.ipv4.tcp_timestamps

Mikel_Aanstoot — Tue, 19 Nov 2019 06:41:48 GMT

FYI: We have opened a TAC case for this and Checkpoint confirmed our issue. We have received a HotFix for this issue and this seems to work perfectly. We only find it surprising that not more companies/people are affected by this behaviour. We don't have that specific config and would have expected that any Mac / Linux client could have experienced this issue.

Mikel