This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Romaryo
Collaborator
‎2025-10-21 09:49 PM
Jump to solution

R81.20 "HTTP parsing error occurred" / body filter failed in response

Hello everyone!
We’ve encountered the following phenomenon: many websites don’t fully load when opened (for example, Reddit, GitHub, etc.). In the logs, we see the following events (see attached screenshots). At the same time, we notice HTTP parser errors, and despite the fact that we have the Allow Fail-Open mode enabled and the traffic is allowed, the sites still don’t work. In the browser’s debug console, we can see that connections for fetching *.js files are being reset.
Does anyone have any ideas about this?
Thanks in advance!

Preview file
56 KB
Preview file
53 KB
Preview file
145 KB
Preview file
55 KB
0 Kudos
65 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-10-27 02:31 PM
In response to Romaryo
Jump to solution

Now that you said web proxy, Im 99.99% sure thats EXACTLY what your issue is. I had a customer with this problem while ago and thats what was the cause. As soon as I saw it, I remembered.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 01:04 AM
Jump to solution

Today I tried disabling HTTP/2 in Firefox settings (unfortunately, I haven’t been able to test this in Chrome yet — I couldn’t figure out how to disable HTTP/2 there), and lo and behold — everything started working correctly!
This answers the question of why it worked with curl (it uses HTTP/1.1 by default),

 

wget https://www.gesetze-im-internet.de/kaeano/KAEAnO.pdf


StatusCode : 200
StatusDescription : OK
Content : {37, 80, 68, 70...}
RawContent : HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=10
Connection: Keep-Alive
Content-Disposition: inline; file...
Headers : {[X-Content-Type-Options, nosniff], [X-Frame-Options, sameorigin], [X-XSS-Protection, 1;
mode=block], [Keep-Alive, timeout=5, max=10]...}
RawContentLength : 132767

 

but it doesn’t answer the question of why it works through the tunnel even when HTTP/2 is enabled in the browser.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 04:39 AM
In response to Romaryo
Jump to solution

I still have a gut feeling its a proxy issue...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 05:35 AM
In response to the_rock
Jump to solution

We do not have a proxy activated at CP GW.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 05:36 AM
In response to Romaryo
Jump to solution

You mentioned last night about web proxy.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 05:44 AM
In response to the_rock
Jump to solution

Yes, we are currently using an explicit web proxy from Broadcom, but we want to switch so that all clients access the Internet directly through the Check Point firewall.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 05:59 AM
In response to Romaryo
Jump to solution

Right...thats why I said thats most likely the issue.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-28 07:24 AM
In response to Romaryo
Jump to solution

Are you sure HTTPS Inspection is actually occurring on traffic inside the VPN tunnel?
There should be logs to that affect.

the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 07:40 AM
In response to PhoneBoy
Jump to solution

Based on all I understood, sounds like it would be, since its random sites having the issue, but I agree, logs would 100% confirm that.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 08:08 AM
In response to PhoneBoy
Jump to solution

yes... I have a feeling that the issue might be related to HTTP/2

Preview file
41 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 10:24 AM
In response to Romaryo
Jump to solution

Did it work on all browsers or not tested yet?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 11:49 AM
In response to the_rock
Jump to solution

Firefox works when HTTP/2 is disabled. However, I can’t disable HTTP/2 in Chrome – the parameter chrome.exe --disable-http2 has no effect, and the browser still uses HTTP/2.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 11:50 AM
In response to Romaryo
Jump to solution

As a test, you can try disable quic in chrome.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 12:04 PM
In response to the_rock
Jump to solution

QUIC is already disabled, but it didn’t make any difference. 

Best regards,

Roman

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 12:05 PM
In response to Romaryo
Jump to solution

K, in that case, maybe it is related to http2 then...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-28 02:15 PM
In response to the_rock
Jump to solution

Yes, the problem is definitely with HTTP/2. Confirmed in Chrome (I had to completely clear the browser cache and launch chrome.exe --disable-http2) and Firefox. In both browsers, all the sites that previously had issues started working normally after downgrading to HTTP/1.1 — although noticeably slower…
The question is: is this a bug or a feature???
And why does everything work fine over a tunnel even with HTTP/2?

 

best regards,

Roman

Preview file
61 KB
Preview file
60 KB
Preview file
126 KB
Preview file
100 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 02:23 PM
In response to Romaryo
Jump to solution

What versions are gateways? Let me see if I can find related sk for this, I had case with T3 in DTAC and I know he gave me an article that has to do with this.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-29 12:01 AM
In response to the_rock
Jump to solution

Hi! R81.20 JHF118

 

best regards,

Roman

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-28 02:25 PM
In response to Romaryo
Jump to solution

Here you go...just follow this sk, Im sure it will fix the issue. Needs short maintenance window, since it involves cprestart, but if its a cluster, you are good.

sk116022 - Check Point inspection of HTTP/2 protocol (RFC 7540)

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-29 12:08 AM
In response to the_rock
Jump to solution

Okay, thanks! Yesterday evening I also came across this SK. I’ll check what value this parameter has on our gateway. Yes, we have a cluster, but I’ll still need to coordinate the test time 🙂

 

best regards,

Roman

0 Kudos
Romaryo
Collaborator
‎2025-10-29 12:17 AM
In response to the_rock
Jump to solution

[Expert@fw01:0]# ckp_regedit SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION
rc=-10 line=180
[Expert@fw01:0]#

What does that mean? The parameter is not defined?

0 Kudos
Romaryo
Collaborator
‎2025-10-29 12:20 AM
In response to Romaryo
Jump to solution

[strict_hold_configuration]
strict_hold_enable=1
enable_on_background_mode=0
min_size_to_upload=0
# when tex_over_te enabled - perform sending TEX extracted file to client without waiting for TE full emulation verdict.
tex_over_te=1
max_size_to_upload=100000000
flexible_hold_precent_to_send=50
flexible_hold_total_time_to_trickle_in_minutes=5

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 04:05 AM
In response to Romaryo
Jump to solution

Correct.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-29 04:31 AM
In response to the_rock
Jump to solution

Did I understand correctly that I need to disable HTTP2? 

 

To disable the HTTP/2 inspection on the Security Gateway:

-> 3. Set the value 1 for the parameter "IGNORE_ALPN_EXTENSION":
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1

 

best regards,

Roman

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 04:42 AM
In response to Romaryo
Jump to solution

Yes.

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 06:20 AM
In response to Romaryo
Jump to solution

I really hope it works!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-29 08:18 AM
In response to the_rock
Jump to solution

Me too 🙂 We've got a maintenance window for tomorrow, we'll test it and I'll report the results.

 

best regards,

Roman

the_rock
MVP Diamond
MVP Diamond
‎2025-10-29 08:24 AM
In response to Romaryo
Jump to solution

Im hopeful!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Romaryo
Collaborator
‎2025-10-30 01:52 AM
In response to the_rock
Jump to solution

Vielen Dank!

 

the_rock
MVP Diamond
MVP Diamond
‎2025-10-30 04:11 AM
In response to Romaryo
Jump to solution

Glad we can help you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events