This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Rafael_Lima1
Participant
‎2019-02-26 04:03 PM

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:

@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabled

We opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.

The traffic is from an apache server to an nginx, TCP / 443

Anyone else went through this and could help?

0 Kudos
25 Replies
G_W_Albrecht
Champion
Champion
‎2019-02-27 02:46 AM

sk109777 give the sk33328 - How to clear $FWDIR/state/ directory to resolve policy corruption issues as the solution. If this has only resolved parts of your issue, the reason could not be file corruption only ! In sk97876, there is a known issue with CP versions < R77.20 - but that is unsuppported by now. What version do you use ?

0 Kudos
Rafael_Lima1
Participant
‎2019-02-27 03:20 AM
In response to G_W_Albrecht

Hi,

Running sk33328 has not changed anything in behavior, it is occurring in the same way.

Environment:
Check Point's software version R80.20 - Build 255
kernel: R80.20 - Build 014
JHF Take: 17
OpenServer R730

0 Kudos
G_W_Albrecht
Champion
Champion
‎2019-02-27 03:57 AM
In response to Rafael_Lima1

Then i would involve TAC even more ! JHF Take: 17 is the GA from 8.1.19 - current GA is 33, Ongoing Take 47, so that installing a newer Jumbo would be the first suggestion !

What do you mean by OpenServer R730 ? R77.30 GWs Jumbo Take ... ?

0 Kudos
Rafael_Lima1
Participant
‎2019-02-27 04:18 AM
In response to G_W_Albrecht 

We already have SR open, but have a few days without an answer.  No, it's the server model, Dell PowerEdge R730.
Rafael_Lima1
Participant
‎2019-03-06 01:36 PM
In response to G_W_Albrecht

We installed JHF 33, but the problem still continues.

0 Kudos
Cesar_Almada
Explorer
‎2019-05-20 10:20 AM
In response to Rafael_Lima1

i have the jumbo hotfix accumulator take 47
but the problem persist
0 Kudos
Timothy_Hall
Champion
Champion
‎2019-05-20 03:36 PM

Part of your error message is F2P which is "Forward to PSL" in R80.20, which I think is SecureXL dumping the inspection for that connection up to a worker core and it can't.  Either this is some kind of bug with handling the connection, or it could be similar to an "instance is fully utilized" situation encountered in R80.10 and earlier like this: sk61143: Traffic is dropped by CoreXL with "fwmultik_inbound_packet_from_dispatcher Reason: Instance...

What is your CoreXL split (fw ctl affinity -l -r) and do these drops tend to occur when one or more of your Firewall worker/instances are at 100% CPU?  You might need more of them if so...

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
tpoole_global
Employee
Employee
‎2019-05-20 04:22 PM
In response to Timothy_Hall

pls open a TAC case to verify
0 Kudos
Chris_Wilson
Participant
‎2019-07-03 02:23 PM
In response to tpoole_global

So, what was the resolution here?

0 Kudos
ThomasH
Explorer
‎2019-07-10 04:49 AM
In response to Chris_Wilson

Hi,

we had the same issue. Solution was to downgrade the gateway (appliance) back to R80.10.

 

0 Kudos
Muazzam
Contributor
‎2019-08-13 11:53 AM
In response to ThomasH

Can you share any other update?

Did you look at sk150933?

Thank You

0 Kudos
Rene_Rosenkrant
Participant
‎2019-08-09 02:34 AM

I see drops of return trafic similar to this on Jumbo 87. I will open a case now.

0 Kudos
Muazzam
Contributor
‎2019-08-13 11:13 AM

I have the same issue, R80.20 T47 - Hardware 13800.

I am assuming this starts after the upgrade R77.30 >> R80.20, because a similar (function) firewall with R77.30 does not have this issue but the R77.30 firewall has a very low load, so not 100% sure.

Overall none of the SND / worker CPU's are not showing spikes - firewall is not overloaded.

We were recommended SK150933 - increase value of psl_max_future_segments from 8 to 16G. I want to make sure about this issue before jumping to the solution.

0 Kudos
Chris_Wilson
Participant
‎2019-08-13 12:04 PM

I opened a case. Running R80.20 we went to Take 87, and then TAC gave us a hotfix - fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz for the fwpslglue_chain Reason: PSL Reject: internal - reject enabled; errors.

0 Kudos
Michael_Horne
Collaborator
‎2019-08-14 06:11 AM
In response to Chris_Wilson

Hello,

Does anyone know if this hotfix "fw1_wrapper_HOTFIX_R80_20_JHF_T87_183_MAIN_GA_FULL.tgz" will be integrated into next released Jumbo hotfix, as I also have this issues with "fwpslglue_chain Reason: PSL Reject: internal - reject enabled" for FTP traffic on R80.20.

Many thanks,

Michael

0 Kudos
Radu_Dr
Explorer
‎2019-08-20 03:35 AM
In response to Michael_Horne

IPS-Exceptions "solved" the issue... Increasing the psl_max_future_segments had no positive effect to the droped traffic.

0 Kudos
Scipion
Contributor
‎2019-10-07 06:25 AM
In response to Radu_Dr

Hello,

 

We have the same problem. R80.20 gateways with take 91. If we disable Anti-Virus blade - everything works.

Exceptions don't work.

0 Kudos
bign
Explorer
‎2019-11-07 05:31 AM

Same problem with fwpslglue and fwmultik_process dropping packets, only our error is due to "internal streaming."

Occurred after R80.20 upgrade, Take 101.

We tried increasing PSL buffer and this only solved the problem for a few days. No antivirus blade is in use. No IPS detects on this "internal streaming" activity are being logged, so I don't see what exception can be added.

We are going to try disabling CoreXL today.

0 Kudos
Khalid_Aftas
Contributor
‎2020-05-02 09:31 AM
In response to bign

Did you fix the issue with that hotfix ?

 

We have the same error with r80.30 latest GA.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-05-03 12:55 AM
In response to Khalid_Aftas

Hi @Khalid_Aftas,

 

can you share the exact drops you are getting on R80.30?

 

Thanks,

Ilya  

0 Kudos
Khalid_Aftas
Contributor
‎2020-05-03 04:29 AM
In response to Ilya_Yusupov

@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;
@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;
@;888290;[vs_2];[tid_4];[fw4_4];fw_log_drop_ex: Packet proto=6 194.79.41.46:443 -> 10.160.35.190:61925 dropped by fwpslglue_chain Reason: PSL Reject: TLS_PARSER;

 

website is nbs.rs (banking category), if you want to take a look at the certificate.

r80.30 take 191, https inspection on, with any any bypass.

I have a TAC case to look into it atm.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-05-03 04:35 AM
In response to Khalid_Aftas

This is different drop than the one mention in this thread.

 

can you please share the number of your case?

0 Kudos
Khalid_Aftas
Contributor
‎2020-05-03 04:37 AM
In response to Ilya_Yusupov

Sure, 6-0001989935

Thx.
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-05-03 04:50 AM
In response to Khalid_Aftas

Thank you !!!

 

i will review and try to see if it's replicated in my lab as well.

 

i will update you with my progress.

0 Kudos
Julian_Sanchez
Collaborator
‎2020-08-12 11:05 AM
In response to bign

Hi guys, 

I have the same error in appliance SMB 1590 R80.20.10.

@;7456944;[cpu_3];[fw4_3];fw_log_drop_ex: Packet proto=6 x.x.x.x:443 -> y.y.y.y:36563 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabled

Any solutions for this?

 

0 Kudos