Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Traffic is being block with the reason connection terminated before detection

Dear @PhoneBoy and @Teams

I have been facing this issue for long time. Actually i have two image to show you as a case

Case : Image 1 

On the first image the traffic is seen as accept by rule 21.1 with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on rule 21.2 which is a accept rule on port 80.

Results: The connection was block even though there is a accept policy rule 21.2 for this traffic.

 

 Case : Image 2 

On the Second image the traffic is seen as drop by rule Sub Cleanup Rule with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on Sub-Cleanup Rule which is a drop rule for unmatched traffic.

Results: The connection was block by the Sub Cleanup Rule but unfortunately we can see the traffic is being passed and is allowed on the core firewall where there is the policy for this traffic. 

 

Conclusion: 

Can you Please explain me what does Connection terminated before detection: Insufficient data passed. To learn more see sk113479 means. This reason is seen on both accept and drop logs and when it says accept the traffic is actually still block and when it say drop by external firewall the same traffic is seen as allow in internal firewall with the same checkpoint vendor firewall. What kind of this behavior it is i really can't understand. i have verify all the policy rule and the traffic, all the source ip and destination ip and the service port is the same. Also have latest hotfix installed for r80.20.

@PhoneBoy  Need your help to understand this. there might be some explanation or solution for this.

 

0 Kudos
15 Replies
Highlighted
Admin
Admin

The SK referenced in the error is fairly clear: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You need to dig into both logs to determine the precise reason.
For a little background on the problem of detecting applications in connections in general, see: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/
0 Kudos
Highlighted

@PhoneBoy Any idea how to workaround this "Connection terminated before detection: Insufficient data. <X> bytes passed"

How to disable engine/application detection for a specific traffic? I just want it to pass.

FW accelerator ? Or something else?

Thanks in advance.

0 Kudos
Highlighted

We had same issue on r80.30 with latest Jumbo hotfix.

Any help will be appreciated.

Thanks 

0 Kudos
Highlighted
Admin
Admin

The traffic is already passing.
The log message is explicitly telling you this.
0 Kudos
Highlighted

Due to logs traffic is accepted. 

BUT the application(3rd party manually written software) obviously was not working.

The "fw ctl fast_accel" on the exact traffic seems to solve the problem.

In fact did it use more memory? For a couple of days appliance(5200) is not going under 90% of RAM usage.

Also some "java" is eating CPU. I can post images from "top, free -m" etc.

I see there is new JHF but it probably would need a restart and I will wait for non-working hours.

0 Kudos
Highlighted

 

 

Thanks your reply.

I did see log shows "accept". but it also says "connection terminated"

if firewall honor the connection, it should say "connection NOT terminated". kind of confuse.

I see at least two different scenario:

1: the TCP session did not finish 3 way handshake and get "connection terminated"

2: sever sent syn ack, client "reset" connection and get "connection terminated"

0 Kudos
Highlighted

In my case CP logs state that there is too little data info for inspection engine to understand the application.

I understand it this way - application sending different MTU packets or app data in packets is not standart.

Port is standart 80/443 but app itself could open some higher unknown ports.

There is an SK above, take a look. It helped me.

Rather than this solution for me was FW accelerator:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Highlighted
Admin
Admin

To be clear, the message means: "We allowed the connection and it terminated before we could fully classify what application it was."
That means it completed the three-way handshake, passed a small amount of data, and terminated successfully.

0 Kudos
Highlighted

Could this be a reason for APP or URL filter to block the app? Because it is "unknown"?

In URL I have Cleanup accept all rule - should not be this one.

0 Kudos
Highlighted
Admin
Admin

App Control or URL Filtering requires a certain amount of traffic to pass to positively classify traffic, as described here: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/ 
If it hasn't classified the traffic after a certain number of bytes, it's classified as "Unknown" and if your policy is configured to block that, it will.

0 Kudos
Highlighted

Hi @Rabindra_Khadka ,

I face same issue two weeks back, the issue was the return traffic arrives at the different interface, please capture tcpdump on incoming and outgoing interface to make sure that traffic is flowing without any issue. before go for deep troubleshooting.

Best Regards,

0 Kudos
Highlighted

Thanks all your guys respond.

The information you provided are valuable to me. CheckMates community is  a great platform. 

Highlighted

Did you manage to fix the issue? how?

0 Kudos
Highlighted

Have you already checked the possible solution from @User-checkpoint ?

We also had the same issue and found out that we had a asymentric routing in a very specific scenario. After we solved the routing issue, we didnt get the "Connection terminated before detection: Insufficient data passed.anymore.

0 Kudos
Highlighted
Ivory

We have almost same stiuation here, traffic should be dropped by our policy but when we look at logs, logs are accept but its said connection terminated before detection. There is no any routing issues. Checkpoint support said firewall did not block any traffic when you see these logs but it seems do.

0 Kudos