This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kamiar_Sh
Contributor
‎2019-08-19 09:59 AM

upgrading security gateways in a cluster from R77.30 to R80.20

Hi All,

I have upgraded my cluster R77.30 to R80.20 last week and I faced an issue after upgrading as follow:

Unix server couldn`t send files to FTP server via FTP passive mode and after 2, 3 hours troubleshooting I disabled the SecureXL and issue resolved so do you have any suggestion or thought?

Thanks

0 Kudos
5 Replies
HelioLeite
Employee Alumnus
Employee Alumnus
‎2019-08-19 10:15 AM

are there asymmetric traffic in this environment or Anti-Virus or IPS blade enabled in this environment to inspect FTP traffic?
0 Kudos
Kamiar_Sh
Contributor
‎2019-08-19 10:24 AM
In response to HelioLeite

after upgrading IPS was enabled but his act was only detect then I disabled it for time being 

0 Kudos
HelioLeite
Employee Alumnus
Employee Alumnus
‎2019-08-19 11:12 AM
In response to Kamiar_Sh

I saw a similar problem with terminal services, are there any symptom occurred on sk147093?

Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
[DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>][PPK0];
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for <SrouceIP,SourcePort,DestinationIP,DestinationPort,6> -> dropping packet ;
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>;


Issue does not replicate when SecureXL is off.


PhoneBoy
Admin
Admin
‎2019-08-20 10:49 AM

Anytime disabling SecureXL "solves" a problem, open a TAC case.
Kamiar_Sh
Contributor
‎2019-11-06 11:15 AM

Hi All,

I want to share the solution that fixed my issue:

# fw ctl set int asm_allow_syn_with_data 1

but if you want it as permanent solution  the kernel file should be modified and gateway should be rebooted 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events