Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
andrzej_starmac
Explorer

Why Checkpoint is dropping http 302 redirect?

Hi All,

In the setup there is Load Balancer (which upon inital client's http connection is doing 302 http redirect to https site).

After upgrading the software version on the LB, CheckPoint with IPS is dropping that 302 - and is sending TCP Rest packet to Load Balancer and HTTP/1.1 503 Service Unavailable to the client:

HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 768

<HTML><HEAD>
<TITLE>Network Error</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Network Error (tcp_error)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
A communication error occurred: ""
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>

There is a slight difference in http header of that 302 generated by Load Balancer on older and newer version:

1. Older software version of Load Balancer  - CheckPoint not dropping it:
HTTP/1.1 302 Moved Temporarily
Location: https://www.abs.com/
Connection: close
Cache-Control: no-cache
Pragma: no-cache

2. New software version of Load balancer - 302 dropped by Checkpoint 
HTTP/1.1 302 Found : Moved Temporarily
Location: https://www.abs.com/
Connection: close
Cache-Control: no-cache
Pragma: no-cache

Can you advise why IPS is dropping above (2) http 302 ? It does not 'like' colon in the header or something else ?

Thanks,

Andy

0 Kudos
5 Replies
Vladimir
Champion
Champion

Can you post the event from the smartlog for the initial connection and the drop?

How is the load balancer object defined in CP?

0 Kudos
PhoneBoy
Admin
Admin

Looks like one of the IPS signatures is thinking the response from the Load Balancer is invalid.

In which case you may want to engage with the TAC so we can adjust the relevant signatures.

Contact Support | Check Point Software 

0 Kudos
PhoneBoy
Admin
Admin

Some discussion in the background with R&D suggests this is actually an issue with the HTTP Parser.

In which case it will involve a code-level fix, thus you will definitely need to speak with the TAC https://community.checkpoint.com/people/astar5e2fe84e-e920-3831-8ecf-31e66fbaaf62

andrzej_starmac
Explorer

Thanks a lot for your help. 

It looks like issue is with HTTP parser in Checkpoint, RFC does not forbid using ":" (colon) character it Reason Phrase of the 302 HTTP response.

I will not be going via Checkpoint TAC. 

Please pass it on to your engineering if there is interest in fixing this in the end (seem like this code issue was in Checkpoint for many years now)

0 Kudos
PhoneBoy
Admin
Admin

I believe there is already a fix for it.

If you want it, then you will need to get it from TAC.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events