Nice. Thanks!

I'm looking at SK122072 
https://support.checkpoint.com/results/sk/sk122072

"

Solution
These logs can be safely ignored and disabled by setting the following kernel parameter:

# fw ctl set int psl_disable_keepalive_logs 1

"

But also thinking about MTUs, ring buffer sizes and also elephant flow (Hyperflow).
https://support.checkpoint.com/results/sk/sk42181

EDIT:

+ This is about image files being transferred over the network.

Well, here is my logic about this, and not only this, but really any traffic problem...so IF those logs are indication of the actual issue, then it needs to be addresses. However, if you see them, but you are simply curious why they are there (but no any other problems), then those SKs would make sense.

Also, all tcp out of state means, in most simple terms, is this...communication is broken somewhere, along the way...3-way handshake is not happening properly.

Andy

ACK. Agree.

Did you confuse Out of Sequence with Out of State? 😉

I did, sorry lol. Did not get much sleep, had Fortigate cutover at 4.30 am, so my apologies.

But here is bigger question...is there an ACTUAL traffic issue, or are you simply concerned about the logs you see?

Andy

Hi Guys,

do you have more info why it is happening? We have a lot of these drops at the customer, it is HTTPS traffic from user to Internet and in the logs is always 

Invalid segment retransmission. Packet dropped. Please refer to sk172266. Streaming Engine: TCP Invalid Retransmission

and its causing issues.

Is it related to brotli encoding or is it a general issue? - sk181282

Hi Martin,
Apologies for the late reply.

It may be best to open a ticket with TAC so that they can gather all the missing information (version, load & performance, and current configuration (including enabled blades and protections enabled, and cluster config), along with maybe packet captures).

I don't have any more information on this and only have the SKs to refer to but you could look at the Inspection Settings and look to add exceptions (screenshot attached).
If PSL is dropping (because it offers some attack prevention before IPS signature matching) then it could point to a real problem, but otherwise it might need an exception somewhere or a Check Point Hot Fix maybe(?)

Regards,

Don

Hi Don,

TAC investigated nothing, I had to do everything myself. Anyway I found two issues.

Issue one, sk122072 - 'TCP out of Sequence' logs in SmartView Tracker

the GW is marking keep-alive as a drop out of state which should not do. We have a ticket.

Issue two, a lot of ACKs are disappearing in the customer network making the retransmission Invalid and out of state, because server has data and sends ACK, FW accepts ACK, process it and after that ACK disappears. Client makes retransmission and the FW drops it because ACK has been seen and its already out of state with old seq number.

How did you solve the issue?

Issue one, I have changed fw ctl set int psl_disable_keepalive_logs 1

But no effect. Also curious how you solved issue 2. 

For us this worked - fw ctl set int psl_disable_keepalive_logs 1,

we dont see keep-alives as a Drops.

Issue two, we don't know where, but it has to be the customer environment, probably core router or Asym routing which is there as we found out.

if it does not work for you - fw ctl set int psl_disable_keepalive_logs 1

then its probably not keep-alive traffic and something else which is making TCP retransmission out of sequence