This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2021-08-24 11:24 PM

FIN timer in connection table is very high

I have created several scripts with the tool "fw ctl conntab" in the last days. This shows many parameters to the connections and the timer settings of the connection. I noticed that in many versions (e.g. R80.40 JHF 120, R81 and R81.10) the FIN timers are set very high partly approximately 10 hours. This concerns various firewall versions.

This means that many connections are still in the connection table with the status "DST-FIN, SRC-FIN, BOTH-FIN" for this time.

According to "TCP end timeout" the values should be much lower (20 sec vs 5 sec).

Is this a bug?

FIN_Timmer_sehr_gross.JPG

On the corresponding firewalls, the timers are still set to the default values.

FIN_Timmer_sehr_gross_statefull_inspection.JPG

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2021-08-27 12:07 PM

I assume this would need a TAC case to dig into.
My feeling is this is probably a cosmetic bug of some sort. 

Timothy_Hall
Legend Legend
Legend
‎2021-08-27 04:13 PM

Agree with Phoneboy here, this command wasn't even documented until I revealed it in my 2018 CPX speech and it is kind of known for having strange cosmetic issues that don't indicate an actual problem:

sk126573: Incorrect output of "fw ctl conntab" when CoreXL is enabled

 

 

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Muazzam
Contributor
Contributor
‎2021-10-05 10:06 AM
In response to Timothy_Hall

I am currently researching an issue and hope to get some answers.

Version R80.20 T160
Hardware: 5600 (CoreXL = 2)
Throughput, typically 300Mbps but sometimes there are spikes that caused interface drops and I see all RX-ERR, RX-DRP and RX-OVR for a busy interface. The overall drops are under 0.0001%.


# fwaccel stats -s
Accelerated conns/Total conns : (100%)
Accelerated pkts/Total pkts : (99%)
F2Fed pkts/Total pkts : (0%)

# fwaccel stat
Accept Templates : disabled by Firewall
Layer XYZ Security disables template offloads from rule #5
Throughput acceleration still enabled.

All the high hit rules are below rule #5. Does this means that they are still getting accelerated? I have checked the top source/destination pairs in SXL table but I did not see any of these matching the high hit rules. Based on that it is hard to believe that the firewall is doing 99% acceleration?


When I run this command:
fwaccel conns | grep <IP_Address>

For most IP's I see the normal output that has mostly "established"
Flags are: ..N............ OR ..N......L.....

But for some IP addresses (from high hit rules) I only see "Both FIN"
What does that indicates?

0 Kudos
S_E_
Advisor
‎2021-10-05 11:41 PM

hi,

we did run in a similar issue with R80.30 and understood following:

TCP end timeout: A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet.

When a TCP connection ends (FIN packets sent or connection reset) the Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top