This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
flachance
Advisor
‎2023-08-14 05:58 AM

Connection terminated before detection: Insufficient data passed. To learn more see sk113479

Users reported issue accessing one particular web site. It always ends up with a timeout error. In the logs, the connection is accepted but with reason:

Connection terminated before detection: Insufficient data passed. To learn more see sk113479

The sk offers an explanation but no solution. This site is accessible by others in different organisations but not for us.

We have a pair of gateways in  a cluster running R80.20 jhf take 14 

0 Kudos
16 Replies
_Val_
Admin
Admin
‎2023-08-14 06:18 AM

It seems that your policy requires an application or URL categorization to happen before final match, and it fails for this specific web site.

Try creating a new explicit rule with the web server as destination and web services allowed, put it before the rules matching now, and try again. 


0 Kudos
flachance
Advisor
‎2023-08-14 11:58 AM
In response to _Val_

Unfortunately that didn't work. I created a rule just for that web site and placed it at the top of the rulebase and we're still getting that "Insufficient data passed" mssage.

0 Kudos
flachance
Advisor
‎2023-08-25 06:46 AM
In response to _Val_

Seems I misread your suggestion. I had created an explicit access security rule for that website. I tried again with an explicit Application rule and I'm not getting the 'Insufficient data passed' error anymore. So as far as the firewall goes everything looks ok. But I still can't access that site (cjc-ccm.ca) when it seems pretty much anyone else can, very frustrating.

0 Kudos
Daniel_Kavan
Advisor
Advisor
‎2023-10-07 07:01 AM
In response to flachance

I'm running into this issue with R81.10 JHF110, no issues before that.   It's saying not to run the command for insufficient data, but the reason is just insufficient data in the Reason category.   Do we just assume we need to allow uncategorized traffic with JHF110?  Could there be a bug with R81.10 JHF110.   I'm going to start a case with TAC Monday.  Basically, this affected me after changing a Nat rule with 110.   I have another case of it, changed a NAT rule and data won't pass, yet I have a default rule.  I may have to just explicitly allow uncategorized traffic.

0 Kudos
the_rock
Legend
Legend
‎2023-10-07 09:01 AM
In response to Daniel_Kavan

It might be a bug, worth a TAC case, for sure.

Andy

0 Kudos
CaseyB
Advisor
‎2023-08-14 06:24 AM

"Accept logs with reason "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." may be wrongly generated when the matched action is user authentication and the wrong username/password is provided by the user."

Was fixed in R80.20 Take 190, but I can't say for sure it's your issue.

Take 14 is not even listed in the documentation, it would probably be worthwhile to at least upgrade to the final release of R80.20 Take 230 for your gateways if you are unable to plan to get to a supported version.

 

List of All Resolved Issues and New Features (checkpoint.com)

0 Kudos
flachance
Advisor
‎2023-08-14 06:25 AM
In response to CaseyB

Just realized my typo. we're at R81.20 take 14. Sorry for the confusion

0 Kudos
the_rock
Legend
Legend
‎2023-08-14 06:31 AM
In response to flachance

I cant even count how many times I was on the phone with customers and every single time TAC would tell them this message simply means its not Check Point issue...that sk is really a LONG way of saying that lol

0 Kudos
_Val_
Admin
Admin
‎2023-08-14 08:13 AM
In response to the_rock

Sorry, but this is not what Sk is saying.

0 Kudos
the_rock
Legend
Legend
‎2023-08-14 08:30 AM
In response to _Val_

Correct, sk does not, but TAC does 😂...and they are 100% correct.

0 Kudos
RS_Daniel
Advisor
‎2023-08-14 03:22 PM

Hello,

I have seen more logs with this message on R81.10 than previous versions, and usually doing a "fw ctl zdebug drop" shows  that the gateway was actually dropping the traffic, try with that, if you do not see drops, it is very likely that the Connection was actually terminated before detection and a packet capture can help to understand why.

Regards

the_rock
Legend
Legend
‎2023-08-15 05:48 AM
In response to RS_Daniel

My experience was worse with R80.40 for this issue, had not seen much in R81.10 and nothing so far in R81.20

Andy

0 Kudos
flachance
Advisor
‎2023-08-16 07:00 AM
In response to RS_Daniel

fw ctl zdebug drop does not show anything. I'll try a packet capture. thanks

0 Kudos
the_rock
Legend
Legend
‎2023-08-16 07:05 AM
In response to flachance

Did you open TAC case foir this to verify with them?

Andy

0 Kudos
flachance
Advisor
‎2023-08-17 06:58 AM
In response to the_rock

No. I was hoping to look at a packet capture (which I haven't done yet) before trying TAC.

0 Kudos
the_rock
Legend
Legend
‎2023-08-17 07:00 AM
In response to flachance

Unless you are not allowed to, if you can attach the capture here and give us relevant info, Im happy to also have a look.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events