This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2021-03-21 09:52 AM

rad - connections to cws.checkpoint.com stay in close_wait for 180min

R80.40 take 94

I have noticed in the smartconsole logs that about 10 connections per hour sourced from the gateway to cws.checkpoint.com get dropped by the firewall itself saying  that "first pack isn't syn" tcp flags FIN-ACK.

After digging a bit I noticed that the gateway receives the FIN, sends the FIN-ACK but it only sends the FIN 3 hours later by then the tcp entry is not in the tcp sessions table and therefore the gateway drops the connection.

With netstat I can see that those connections are likely opened with the rad process

[Expert@fw1:0]# netstat -apn
tcp 1 0 1.1.1.1:55962 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55736 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55734 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55700 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55960 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55862 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55928 1.1.1.2:80 CLOSE_WAIT 13470/rad
tcp 1 0 1.1.1.1:55896 1.1.1.2:80 CLOSE_WAIT 13470/rad

I wonder why the gateways delays the closure for 3 hours

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2021-03-21 02:51 PM

That sounds worthy of a TAC case.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events