Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Advisor

Connection terminated before detection: Insufficient data passed. To learn more see sk113479

Users reported issue accessing one particular web site. It always ends up with a timeout error. In the logs, the connection is accepted but with reason:

Connection terminated before detection: Insufficient data passed. To learn more see sk113479

The sk offers an explanation but no solution. This site is accessible by others in different organisations but not for us.

We have a pair of gateways in  a cluster running R80.20 jhf take 14 

0 Kudos
16 Replies
_Val_
Admin
Admin

It seems that your policy requires an application or URL categorization to happen before final match, and it fails for this specific web site.

Try creating a new explicit rule with the web server as destination and web services allowed, put it before the rules matching now, and try again. 


0 Kudos
flachance
Advisor

Unfortunately that didn't work. I created a rule just for that web site and placed it at the top of the rulebase and we're still getting that "Insufficient data passed" mssage.

0 Kudos
flachance
Advisor

Seems I misread your suggestion. I had created an explicit access security rule for that website. I tried again with an explicit Application rule and I'm not getting the 'Insufficient data passed' error anymore. So as far as the firewall goes everything looks ok. But I still can't access that site (cjc-ccm.ca) when it seems pretty much anyone else can, very frustrating.

0 Kudos
Daniel_Kavan
Advisor

I'm running into this issue with R81.10 JHF110, no issues before that.   It's saying not to run the command for insufficient data, but the reason is just insufficient data in the Reason category.   Do we just assume we need to allow uncategorized traffic with JHF110?  Could there be a bug with R81.10 JHF110.   I'm going to start a case with TAC Monday.  Basically, this affected me after changing a Nat rule with 110.   I have another case of it, changed a NAT rule and data won't pass, yet I have a default rule.  I may have to just explicitly allow uncategorized traffic.

0 Kudos
the_rock
Legend
Legend

It might be a bug, worth a TAC case, for sure.

Andy

0 Kudos
CaseyB
Advisor

"Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and the wrong username/password is provided by the user."

Was fixed in R80.20 Take 190, but I can't say for sure it's your issue.

Take 14 is not even listed in the documentation, it would probably be worthwhile to at least upgrade to the final release of R80.20 Take 230 for your gateways if you are unable to plan to get to a supported version.

 

List of All Resolved Issues and New Features (checkpoint.com)

0 Kudos
flachance
Advisor

Just realized my typo. we're at R81.20 take 14. Sorry for the confusion

0 Kudos
the_rock
Legend
Legend

I cant even count how many times I was on the phone with customers and every single time TAC would tell them this message simply means its not Check Point issue...that sk is really a LONG way of saying that lol

0 Kudos
_Val_
Admin
Admin

Sorry, but this is not what Sk is saying.

0 Kudos
the_rock
Legend
Legend

Correct, sk does not, but TAC does 😂...and they are 100% correct.

0 Kudos
RS_Daniel
Advisor

Hello,

I have seen more logs with this message on R81.10 than previous versions, and usually doing a "fw ctl zdebug drop" shows  that the gateway was actually dropping the traffic, try with that, if you do not see drops, it is very likely that the Connection was actually terminated before detection and a packet capture can help to understand why.

Regards

the_rock
Legend
Legend

My experience was worse with R80.40 for this issue, had not seen much in R81.10 and nothing so far in R81.20

Andy

0 Kudos
flachance
Advisor

fw ctl zdebug drop does not show anything. I'll try a packet capture. thanks

0 Kudos
the_rock
Legend
Legend

Did you open TAC case foir this to verify with them?

Andy

0 Kudos
flachance
Advisor

No. I was hoping to look at a packet capture (which I haven't done yet) before trying TAC.

0 Kudos
the_rock
Legend
Legend

Unless you are not allowed to, if you can attach the capture here and give us relevant info, Im happy to also have a look.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events