Re: Legitimate traffic being blocked - R80.20

Rafael_Lima1 · ‎2019-02-26

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:

@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabled

We opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.

The traffic is from an apache server to an nginx, TCP / 443

Anyone else went through this and could help?

G_W_Albrecht · ‎2019-02-27

sk109777 give the sk33328 - How to clear $FWDIR/state/ directory to resolve policy corruption issues as the solution. If this has only resolved parts of your issue, the reason could not be file corruption only ! In sk97876, there is a known issue with CP versions < R77.20 - but that is unsuppported by now. What version do you use ?

Rafael_Lima1 · ‎2019-02-27

Hi,

Running sk33328 has not changed anything in behavior, it is occurring in the same way.

Environment:
Check Point's software version R80.20 - Build 255
kernel: R80.20 - Build 014
JHF Take: 17
OpenServer R730

G_W_Albrecht · ‎2019-02-27

Then i would involve TAC even more ! JHF Take: 17 is the GA from 8.1.19 - current GA is 33, Ongoing Take 47, so that installing a newer Jumbo would be the first suggestion !

What do you mean by OpenServer R730 ? R77.30 GWs Jumbo Take ... ?

Rafael_Lima1 · ‎2019-02-27

We already have SR open, but have a few days without an answer.  No, it's the server model, Dell PowerEdge R730.

Rafael_Lima1 · ‎2019-03-06

We installed JHF 33, but the problem still continues.

Cesar_Almada · ‎2019-05-20

i have the jumbo hotfix accumulator take 47
but the problem persist

Timothy_Hall · ‎2019-05-20

Part of your error message is F2P which is "Forward to PSL" in R80.20, which I think is SecureXL dumping the inspection for that connection up to a worker core and it can't. Either this is some kind of bug with handling the connection, or it could be similar to an "instance is fully utilized" situation encountered in R80.10 and earlier like this: sk61143: Traffic is dropped by CoreXL with "fwmultik_inbound_packet_from_dispatcher Reason: Instance...

What is your CoreXL split (fw ctl affinity -l -r) and do these drops tend to occur when one or more of your Firewall worker/instances are at 100% CPU? You might need more of them if so...

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

tpoole_global · ‎2019-05-20

pls open a TAC case to verify

Chris_Wilson · ‎2019-07-03

So, what was the resolution here?

ThomasH · ‎2019-07-10

Hi,

we had the same issue. Solution was to downgrade the gateway (appliance) back to R80.10.

Muazzam · ‎2019-08-13

Can you share any other update?

Did you look at sk150933?

Thank You

Rene_Rosenkrant · ‎2019-08-09

I see drops of return trafic similar to this on Jumbo 87. I will open a case now.

Muazzam · ‎2019-08-13

I have the same issue, R80.20 T47 - Hardware 13800.

I am assuming this starts after the upgrade R77.30 >> R80.20, because a similar (function) firewall with R77.30 does not have this issue but the R77.30 firewall has a very low load, so not 100% sure.

Overall none of the SND / worker CPU's are not showing spikes - firewall is not overloaded.

We were recommended SK150933 - increase value of psl_max_future_segments from 8 to 16G. I want to make sure about this issue before jumping to the solution.

Chris_Wilson · ‎2019-08-13

I opened a case. Running R80.20 we went to Take 87, and then TAC gave us a hotfix - fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz for the fwpslglue_chain Reason: PSL Reject: internal - reject enabled; errors.

Michael_Horne · ‎2019-08-14

Hello,

Does anyone know if this hotfix "fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz" will be integrated into next released Jumbo hotfix, as I also have this issues with "fwpslglue_chain Reason: PSL Reject: internal - reject enabled" for FTP traffic on R80.20.

Many thanks,

Michael

Radu_Dr · ‎2019-08-20

IPS-Exceptions "solved" the issue... Increasing the psl_max_future_segments had no positive effect to the droped traffic.

Scipion · ‎2019-10-07

Hello,

We have the same problem. R80.20 gateways with take 91. If we disable Anti-Virus blade - everything works.

Exceptions don't work.

bign · ‎2019-11-07

Same problem with fwpslglue and fwmultik_process dropping packets, only our error is due to "internal streaming."

Occurred after R80.20 upgrade, Take 101.

We tried increasing PSL buffer and this only solved the problem for a few days. No antivirus blade is in use. No IPS detects on this "internal streaming" activity are being logged, so I don't see what exception can be added.

We are going to try disabling CoreXL today.

Khalid_Aftas · ‎2020-05-02

Did you fix the issue with that hotfix ?

We have the same error with r80.30 latest GA.

Ilya_Yusupov · ‎2020-05-03

Hi @Khalid_Aftas,

can you share the exact drops you are getting on R80.30?

Thanks,

Ilya

Khalid_Aftas · ‎2020-05-03

@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;
@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;
@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;

website is nbs.rs (banking category), if you want to take a look at the certificate.

r80.30 take 191, https inspection on, with any any bypass.

I have a TAC case to look into it atm.

Ilya_Yusupov · ‎2020-05-03

This is different drop than the one mention in this thread.

can you please share the number of your case?

Khalid_Aftas · ‎2020-05-03

Sure, 6-0001989935

Thx.

Ilya_Yusupov · ‎2020-05-03

Thank you !!!

i will review and try to see if it's replicated in my lab as well.

i will update you with my progress.

Julian_Sanchez · ‎2020-08-12

Hi guys,

I have the same error in appliance SMB 1590 R80.20.10.

@;7456944;[cpu_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:443 -> y.y.y.y:36563 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabled

Any solutions for this?