This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gacki
Participant
‎2023-03-16 05:26 AM

Connection terminated before the Security Gateway was able to make a decision

Hello,

I have a problem that the idream.pl website works properly inside the company, but if there is a VPN access to the website, unfortunately a too long wait message pops up, the checkpoint logs show what is in the connector. 

A rule is made that should allow access to this page.

0 Kudos
11 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-03-16 05:30 AM

Have you already reviewed sk113479?

CCSM R77/R80/ELITE
0 Kudos
Gacki
Participant
‎2023-03-16 05:36 AM
In response to Chris_Atkinson

yes, but i didn't find the answer there.

my error is 

Connection terminated before detection: Insufficient data. <X> bytes passed

Data packets have arrived, but the amount of data was not enough for the engine detection. The string will also state the number of data bytes (TCP/UDP payload) that may pass the Gateway.

 

now the question is how can i solve it?

0 Kudos
the_rock
Legend
Legend
‎2023-03-16 05:50 AM

I had this happen with customer before and TAC told us that sk simply states its not CP issue, to make a long story short : - ). I actually agree with that, because logically, connection gets terminated, but there is proof anywhere its the fw causing it.

You definitely need to run some captures and confirm whats happening with the traffic.

Andy

0 Kudos
Gacki
Participant
‎2023-03-16 06:04 AM
In response to the_rock

Can you suggest how best to capture this traffic? additionally wireshark? or on the checkpoint side?

0 Kudos
the_rock
Legend
Legend
‎2023-03-16 06:25 AM
In response to Gacki

Lets do remote if you are allowed and I can help you. If not, please provide the source/dst IP addresses with ports/protocol involved and I can send you the captures you need.

Cheers mate.

Andy

0 Kudos
Gacki
Participant
‎2023-03-16 06:32 AM
In response to the_rock

we are trying to connect to idream.pl (137.74.1.35) http (TCP/80)

0 Kudos
the_rock
Legend
Legend
‎2023-03-16 06:33 AM
In response to Gacki

K, cool. Can you please give me one source IP you are testing from, so I can give you right capture flags?

Cheers,

Andy

0 Kudos
Gacki
Participant
‎2023-03-16 06:35 AM
In response to the_rock

10.10.12.16

0 Kudos
the_rock
Legend
Legend
‎2023-03-16 06:41 AM
In response to Gacki

fw monitor -e "accept host(137.74.1.35);"
fw monitor -e "accept host(137.74.1.35) and port(80);"
fw monitor -e "accept host(137.74.1.35) and host(10.10.12.16);"
tcpdump -nni any host 137.74.1.35
fw monitor -F "10.10.12.16,0,137.74.1.35,80,0"
fw monitor -F "10.10.12.16,0,137.74.1.35,80,0" -F "137.74.1.35,0,10.10.12.16,80,0"

 

Just as a side note, though you already probably know this, tcpdump will NOT show you any inspection points taking place, simply if traffic is hitting any interface on the firewall, but fw monitor would show you those things.

Andy

0 Kudos
Gacki
Participant
‎2023-03-16 07:22 AM
In response to the_rock

i.e. it's not a checkpoint problem, but something before the checkpoint is causing not all data packets to arrive

1.png
Preview file
13 KB
0 Kudos
the_rock
Legend
Legend
‎2023-03-16 07:27 AM
In response to Gacki

Correct and that sk is literally LONG way of simply saying "This is not Check Point issue" 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top