This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ashish_verma
Contributor
‎2019-06-06 09:32 AM

Retransmission of packets on the gateway pcap but not on client pcap

Hello guys, This is a strange issue we are facing in which the client is able to access the server on port 80 but the resources hosted on the server works sometimes and does not work sometime. In the tcpdump pcap file catures on security gateway I see many retransmissions are there but on pcap file of client machine I do not see retransmissions.

The client is directly connected to the checkpoint direwall and Ipsec tunnel has been build netween the checkpoint and ASA firewall and behind ASA firewall the server is hosted.

Anyone faced this kind of issue? Could this be related to checkpoint or tunnel?

Thanks in advance!!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-06-06 12:10 PM

Assuming you mean "directly connected" in a Layer 3 sense (i.e. same subnet).
Unless one end of the cable is the Check Point device and the other end is the server, there is something "in between." 😉
Reminds me of a problem I ran into when I was a TAC engineer years ago that we ultimately determined was in the switch configuration.
Not saying that's the case here, but you definitely need to rule that out.
0 Kudos
Keval_Dhebar
Explorer
‎2023-09-27 07:33 AM
In response to PhoneBoy

@PhoneBoy we have one VLAN migrated on firewall and it can't make https connection with WLC (WLC is not on firewall). 

FW logs from PC to WLC IP show bypass and accept
Wireshark shows TCP Spurious Retransmission from source IP to the WLC IP
It also shows it using TLSv1 and not TLS v1.1 or v1.2
All other wireshark captures from valid connections show TLSv1.2

 

Please suggest if any input to fix the issue.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-28 12:06 PM
In response to Keval_Dhebar

Please create a new thread with the details of your situation.
This will include all versions/JHF in use, a network diagram CLEARLY showing source/destination for the traffic as well as any gateways involved, packet captures (with details where/how they were taken), and any other evidence you can provide.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-06-06 03:00 PM

To see if the problem is tunnel related, set the MTU of the PC interface to 1400 and test again, or use TCPoptimizer to test the max MTU and use that to set it (Freeware).
If that resolves your problem, look at mss clamping.
Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events