Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkblast
Participant

[Quantum Spark - Invalid Segment Retransmission. Packet Dropped]

Hi guys,

 

I am getting some issues when working over a third party remote VPN connection through a Quantum Spark.

The Quantum Spark is configured in Bridge mode with all security services activated.

The third party VPN client establishes correctly and we are able to ping the remote servers.

As the RDP session is launched the VPN session is disconnected.

Attached is the error message seen in the logs.

 

Regards,

0 Kudos
6 Replies
_Val_
Admin
Admin

Are you sure this is the only log from that time of failed tunnel? It does not seem to be relevant to either RDP or VPN 

0 Kudos
checkblast
Participant

Hi.

The 3rd party VPN client is DrayTek Smart VPN which is used to connect to a remote gateway over the Internet through the Quantum Spark. As per tests conducted the problem is observed when the Fast SSL option is activated on the VPN client.

When the Fast SSL option is activated on the client, the VPN session is established and ping to remote servers work fine. When initiating RDP sessions, the VPN session is disconnected.

When the Fast SSL option is disabled on the client, the VPN session is established and ping to remote servers work fine. RDP sessions also work seamlessly..

As per logs, a packet drop is noticed when initiating the sessions with the Fast SSL option activated.

See attachment.

Regards,

0 Kudos
the_rock
Champion
Champion

I could be wrong when I say this, but based on screenshot you attached, it would appear its potentially IPS issue, though it gives attack name, but there is no confidence level.

Andy

0 Kudos
_Val_
Admin
Admin

Please open a TAC case for this

0 Kudos
G_W_Albrecht
Legend
Legend

Why not disable Fast SSL option ?

CCSE CCTE SMB Specialist
0 Kudos
Timothy_Hall
Champion
Champion

I'm not able to determine what "Fast SSL" means from the DrayTek documentation, but I did see that this setting is now disabled by default in the later 2019 releases.  I'd guess perhaps it shortens the TCP retransmit timers so that it is more more "impatient", particularly when negotiating the initial HTTPS connection for the VPN.  It is possible that it isn't getting a fast enough response for its impatience and is retransmitting before it is supposed to based on RTT, and running afoul of the Inspection Setting "Invalid TCP Retransmission".  This enforcement will basically stall the HTTPS/443 connection in this case and result in the disconnection of the VPN.  

Try changing the Inspection Setting "Invalid TCP Retransmission" from Drop to Accept on the firewall and see if Fast SSL still works.  I'd really not advise leaving this protection in the Accept state though, and believe that disabling Fast SSL would be a better solution as clearly whatever that feature is doing is not RFC compliant.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos