Solved: Re: R81.20 "HTTP parsing error occurred" / body fi... - Page 2

Romaryo

Hello everyone!
We’ve encountered the following phenomenon: many websites don’t fully load when opened (for example, Reddit, GitHub, etc.). In the logs, we see the following events (see attached screenshots). At the same time, we notice HTTP parser errors, and despite the fact that we have the Allow Fail-Open mode enabled and the traffic is allowed, the sites still don’t work. In the browser’s debug console, we can see that connections for fetching *.js files are being reset.
Does anyone have any ideas about this?
Thanks in advance!

the_rock

Now that you said web proxy, Im 99.99% sure thats EXACTLY what your issue is. I had a customer with this problem while ago and thats what was the cause. As soon as I saw it, I remembered.

Best,
Andy

Romaryo

Today I tried disabling HTTP/2 in Firefox settings (unfortunately, I haven’t been able to test this in Chrome yet — I couldn’t figure out how to disable HTTP/2 there), and lo and behold — everything started working correctly!
This answers the question of why it worked with curl (it uses HTTP/1.1 by default),

wget https://www.gesetze-im-internet.de/kaeano/KAEAnO.pdf

StatusCode : 200
StatusDescription : OK
Content : {37, 80, 68, 70...}
RawContent : HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=10
Connection: Keep-Alive
Content-Disposition: inline; file...
Headers : {[X-Content-Type-Options, nosniff], [X-Frame-Options, sameorigin], [X-XSS-Protection, 1;
mode=block], [Keep-Alive, timeout=5, max=10]...}
RawContentLength : 132767

but it doesn’t answer the question of why it works through the tunnel even when HTTP/2 is enabled in the browser.

the_rock

I still have a gut feeling its a proxy issue...

Best,
Andy

Romaryo

We do not have a proxy activated at CP GW.

the_rock

You mentioned last night about web proxy.

Best,
Andy

Romaryo

Yes, we are currently using an explicit web proxy from Broadcom, but we want to switch so that all clients access the Internet directly through the Check Point firewall.

the_rock

Right...thats why I said thats most likely the issue.

Best,
Andy

PhoneBoy

Are you sure HTTPS Inspection is actually occurring on traffic inside the VPN tunnel?
There should be logs to that affect.

the_rock

Based on all I understood, sounds like it would be, since its random sites having the issue, but I agree, logs would 100% confirm that.

Best,
Andy

Romaryo

yes... I have a feeling that the issue might be related to HTTP/2

the_rock

Did it work on all browsers or not tested yet?

Best,
Andy

Romaryo

Firefox works when HTTP/2 is disabled. However, I can’t disable HTTP/2 in Chrome – the parameter chrome.exe --disable-http2 has no effect, and the browser still uses HTTP/2.

the_rock

As a test, you can try disable quic in chrome.

Best,
Andy

Romaryo

QUIC is already disabled, but it didn’t make any difference.

Best regards,

Roman

the_rock

K, in that case, maybe it is related to http2 then...

Best,
Andy

Romaryo

Yes, the problem is definitely with HTTP/2. Confirmed in Chrome (I had to completely clear the browser cache and launch chrome.exe --disable-http2) and Firefox. In both browsers, all the sites that previously had issues started working normally after downgrading to HTTP/1.1 — although noticeably slower…
The question is: is this a bug or a feature???
And why does everything work fine over a tunnel even with HTTP/2?

best regards,

Roman

the_rock

What versions are gateways? Let me see if I can find related sk for this, I had case with T3 in DTAC and I know he gave me an article that has to do with this.

Best,
Andy

Romaryo

Hi! R81.20 JHF118

best regards,

Roman

the_rock

Here you go...just follow this sk, Im sure it will fix the issue. Needs short maintenance window, since it involves cprestart, but if its a cluster, you are good.

sk116022 - Check Point inspection of HTTP/2 protocol (RFC 7540)

Best,
Andy

Romaryo

Okay, thanks! Yesterday evening I also came across this SK. I’ll check what value this parameter has on our gateway. Yes, we have a cluster, but I’ll still need to coordinate the test time 🙂

best regards,

Roman

Romaryo

[Expert@fw01:0]# ckp_regedit SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION
rc=-10 line=180
[Expert@fw01:0]#

What does that mean? The parameter is not defined?

Romaryo

[strict_hold_configuration]
strict_hold_enable=1
enable_on_background_mode=0
min_size_to_upload=0
# when tex_over_te enabled - perform sending TEX extracted file to client without waiting for TE full emulation verdict.
tex_over_te=1
max_size_to_upload=100000000
flexible_hold_precent_to_send=50
flexible_hold_total_time_to_trickle_in_minutes=5

the_rock

Correct.

Best,
Andy

Romaryo

Did I understand correctly that I need to disable HTTP2?

To disable the HTTP/2 inspection on the Security Gateway:

-> 3. Set the value 1 for the parameter "IGNORE_ALPN_EXTENSION":
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1

best regards,

Roman

the_rock

Yes.

Best,
Andy

the_rock

I really hope it works!

Best,
Andy

Romaryo

Me too 🙂 We've got a maintenance window for tomorrow, we'll test it and I'll report the results.

best regards,

Roman

the_rock

Im hopeful!

Best,
Andy

Romaryo

Vielen Dank!

the_rock

Glad we can help you.

Best,
Andy

Are you a member of CheckMates?

R81.20 "HTTP parsing error occurred" / body filter failed in response