topic Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet in General Topics

https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet dat

Don_Paterson — Fri, 28 Apr 2023 15:49:45 GMT

Trying to understand what the exact cause/s for this PSL drop might be.

Anyone else seen it and found out more?

Log image attached. SK reference image attached.

"https Traffic Dropped from ... to ... due to Out of sequence TCP packet retransmission. Stripping all packet data. Please refer to sk172266."

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

the_rock — Fri, 28 Apr 2023 16:06:56 GMT

I had this issue with customers couple times and below is what we did to fix it. Not saying it would work for you, but thats what did work in our case. Just need to put in affected IPs/subnets in both src/dst

Andy

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Don_Paterson — Fri, 28 Apr 2023 16:14:41 GMT

Nice. Thanks!

I'm looking at SK122072
https://support.checkpoint.com/results/sk/sk122072

Solution
These logs can be safely ignored and disabled by setting the following kernel parameter:

# fw ctl set int psl_disable_keepalive_logs 1

But also thinking about MTUs, ring buffer sizes and also elephant flow (Hyperflow).
https://support.checkpoint.com/results/sk/sk42181

EDIT:

+ This is about image files being transferred over the network.

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

the_rock — Fri, 28 Apr 2023 16:35:33 GMT

Well, here is my logic about this, and not only this, but really any traffic problem...so IF those logs are indication of the actual issue, then it needs to be addresses. However, if you see them, but you are simply curious why they are there (but no any other problems), then those SKs would make sense.

Also, all tcp out of state means, in most simple terms, is this...communication is broken somewhere, along the way...3-way handshake is not happening properly.

Andy

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Don_Paterson — Fri, 28 Apr 2023 16:40:01 GMT

ACK. Agree.

Did you confuse Out of Sequence with Out of State? 😉

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

the_rock — Fri, 28 Apr 2023 16:45:08 GMT

I did, sorry lol. Did not get much sleep, had Fortigate cutover at 4.30 am, so my apologies.

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

the_rock — Fri, 28 Apr 2023 16:44:25 GMT

But here is bigger question...is there an ACTUAL traffic issue, or are you simply concerned about the logs you see?

Andy

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Martin_Raska — Wed, 15 May 2024 07:42:04 GMT

Hi Guys,

do you have more info why it is happening? We have a lot of these drops at the customer, it is HTTPS traffic from user to Internet and in the logs is always

Invalid segment retransmission. Packet dropped. Please refer to sk172266. Streaming Engine: TCP Invalid Retransmission

and its causing issues.

Is it related to brotli encoding or is it a general issue? - sk181282

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Don_Paterson — Fri, 12 Jul 2024 11:24:47 GMT

Hi Martin,
Apologies for the late reply.

It may be best to open a ticket with TAC so that they can gather all the missing information (version, load & performance, and current configuration (including enabled blades and protections enabled, and cluster config), along with maybe packet captures).

I don't have any more information on this and only have the SKs to refer to but you could look at the Inspection Settings and look to add exceptions (screenshot attached).
If PSL is dropping (because it offers some attack prevention before IPS signature matching) then it could point to a real problem, but otherwise it might need an exception somewhere or a Check Point Hot Fix maybe(?)

Regards,

Don

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Martin_Raska — Wed, 04 Sep 2024 09:55:30 GMT

Hi Don,

TAC investigated nothing, I had to do everything myself. Anyway I found two issues.

Issue one, sk122072 - 'TCP out of Sequence' logs in SmartView Tracker

the GW is marking keep-alive as a drop out of state which should not do. We have a ticket.

Issue two, a lot of ACKs are disappearing in the customer network making the retransmission Invalid and out of state, because server has data and sends ACK, FW accepts ACK, process it and after that ACK disappears. Client makes retransmission and the FW drops it because ACK has been seen and its already out of state with old seq number.

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Lesley — Wed, 04 Sep 2024 10:18:29 GMT

How did you solve the issue?

Issue one, I have changed fw ctl set int psl_disable_keepalive_logs 1

But no effect. Also curious how you solved issue 2.

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Martin_Raska — Tue, 10 Sep 2024 08:16:47 GMT

For us this worked - fw ctl set int psl_disable_keepalive_logs 1,

we dont see keep-alives as a Drops.

Issue two, we don't know where, but it has to be the customer environment, probably core router or Asym routing which is there as we found out.

Re: https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet

Martin_Raska — Tue, 10 Sep 2024 08:19:03 GMT

if it does not work for you - fw ctl set int psl_disable_keepalive_logs 1

then its probably not keep-alive traffic and something else which is making TCP retransmission out of sequence