This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
Tim_Bernat
Contributor
‎2018-12-07 03:56 AM

'Invalid segment retransmission. Packet dropped.'

Jump to solution

Hi All, 

we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.

We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. 

Thank you for any comments. 

0 Kudos
1 Solution

Accepted Solutions
Tim_Bernat
Contributor
‎2019-01-30 05:01 AM
In response to Tim_Bernat

Jump to solution

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin
‎2018-12-07 11:50 AM

Jump to solution

If you open one of those log entries, does it reference an SK?

These Inspection Settings may be relevant also:

0 Kudos
Tim_Bernat
Contributor
‎2019-01-30 02:36 AM
In response to PhoneBoy

Jump to solution

Thank Dameon,

sorry about replying late; it got quite hectic I was then off for some time. 

No SK, I get: 

'SmartDefense Services

An advisory for this issue is yet to be published. The information will be updated soon.'

Looking at the settings, we have this set to 'Drop' on all profiles, as recommended by CP:

 

This morning I have put a device behind the CP firewall directly on the Internet and had no problems with any FTP commands (FTP passive-mode).  

Apparently this was last used back in May, so we don't know when it stopped working. We have since moved from R77.30 to R80.10 but no access rules have been changed.

Thanks, Tim

0 Kudos
Tim_Bernat
Contributor
‎2019-01-30 05:01 AM
In response to Tim_Bernat

Jump to solution

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-30 07:37 AM
In response to Tim_Bernat

Jump to solution

For that we’d probably need a TAC case with packet captures of the relevant traffic.

B_P
Collaborator
‎2019-05-28 10:07 AM
In response to Tim_Bernat

Jump to solution

We got this too, but per sk98081, disabling TCP Invalid Retransmission is something "highly recommended" not to do.

Blocking stuff without any real explanation on why is Check Point's M.O. --

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=protection&threatId=tcp_block_retr...

http://www.checkpoint.com/sdadvisories/redirector.htm?attackId=Streaming+Engine:+TCP+Invalid+Retrans....

0 Kudos
Michael_Golub
Employee Alumnus
Employee Alumnus
‎2019-05-29 08:05 AM

Jump to solution

Just to clarify, did it drop specific packets but the connectivity remained and some packet still passed? Or from certain point all packets were dropped causing connectivity issue?

0 Kudos
B_P
Collaborator
‎2019-05-29 11:54 AM
In response to Michael_Golub

Jump to solution

All packets are dropped.. multiple unrelated websites are not loading because of this.

0 Kudos
FedericoMeiners
Advisor
‎2019-07-16 05:10 AM

Jump to solution

Hello,

Yesterday we migrated one member of one a cluster from R80.10 to R80.30 and an one of the internal applications that has been working for years without issue (Through R77.30 and R80.10) stopped working, no changes were made in the application.

After debugging we found that the packets were dropped by the signature from this post: TCP Invalid Retransmission, we fixed the issue by making an exception in the corresponding signature.

Regards,

 

____________
https://www.linkedin.com/in/federicomeiners/
PAUL_SAMWAYS1
Participant
‎2019-09-15 10:38 PM
In response to FedericoMeiners

Jump to solution
We had the same problem upgraded from R80.20 to R80.30 and had application stop working (internal app) TCP Invalid Retransmission.
0 Kudos
Michael_Wood
Participant
‎2019-11-07 11:08 AM
In response to PAUL_SAMWAYS1

Jump to solution

Had the issue this morning - folks going to Siebel.  Worked yesterday on R80.10, upgraded to R80.30 JHF Take 50 and we had issues this morning with all users.

Exception added and problem solved.

0 Kudos
HoogliBoogli
Participant
‎2019-11-26 06:29 AM
In response to Michael_Wood

Jump to solution

Yes, we have the same Problem. After Migration from 77.30 to 80.30 we have "TCP-Retransmission Drops"

One of our internal web application working for years without issues. After this Migration the application is stopped working, no changes were made in the application.

We found…. http://[ip-address]/wording/ is working

                      http://[ip-address]/wording/?search=word1+word2&initSearch=2&core= is not working

If we delete the "+" sign, it is working. IT seems Checkpoint 80.30 don't like "+" signs.

We don´t use application filtering  or other blades - only IPS.

Workaround: We fixed the issue by making an exception in the IPS.

Any idea what's wrong?

Benedikt_Weissl
Advisor
‎2020-08-26 01:47 AM
In response to HoogliBoogli

Jump to solution

I have the same problem, TAC said that an upgrade to R80.30 Take >= 214 will resolve this issue.

kfeng2020
Explorer
‎2020-09-15 01:12 PM
In response to Benedikt_Weissl

Jump to solution

I am seeing the same issue with the TCP Invalid Retransmission to Library of Congress. Added exceptions didn't help.  I tested by making Drop to Accept and works perfectly.  We had the ver R80.3 and wonder if anyone else can provide some advise.

0 Kudos
kfeng2020
Explorer
‎2020-09-15 01:15 PM
In response to Benedikt_Weissl

Jump to solution

Did it work for you?  We are running R80.3 and keeping getting problem with Library of Congress.  Dropped and TCP invalid retransmission.  Adding exception didn't do anything.  I wonder if anyone has any other thoughts on this problem? 

0 Kudos