'SmartDefense Services

Tim_Bernat · ‎2018-12-07

Hi All,

we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.

We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line.

Thank you for any comments.

Tim_Bernat · ‎2019-01-30

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission' to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place.

View solution in original post

PhoneBoy · ‎2018-12-07

If you open one of those log entries, does it reference an SK?

These Inspection Settings may be relevant also:

Tim_Bernat · ‎2019-01-30

Thank Dameon,

sorry about replying late; it got quite hectic I was then off for some time.

No SK, I get:

'SmartDefense Services

An advisory for this issue is yet to be published. The information will be updated soon.'

Looking at the settings, we have this set to 'Drop' on all profiles, as recommended by CP:

This morning I have put a device behind the CP firewall directly on the Internet and had no problems with any FTP commands (FTP passive-mode).

Apparently this was last used back in May, so we don't know when it stopped working. We have since moved from R77.30 to R80.10 but no access rules have been changed.

Thanks, Tim

Tim_Bernat · ‎2019-01-30

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission' to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place.

View solution in original post

PhoneBoy · ‎2019-01-30

For that we’d probably need a TAC case with packet captures of the relevant traffic.

B_P · ‎2019-05-28

We got this too, but per sk98081, disabling TCP Invalid Retransmission is something "highly recommended" not to do.

Blocking stuff without any real explanation on why is Check Point's M.O. --

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=protection&threatId=tcp_block_retr...

http://www.checkpoint.com/sdadvisories/redirector.htm?attackId=Streaming+Engine:+TCP+Invalid+Retrans....

Michael_Golub · ‎2019-05-29

Just to clarify, did it drop specific packets but the connectivity remained and some packet still passed? Or from certain point all packets were dropped causing connectivity issue?

B_P · ‎2019-05-29

All packets are dropped.. multiple unrelated websites are not loading because of this.

FedericoMeiners · ‎2019-07-16

Hello,

Yesterday we migrated one member of one a cluster from R80.10 to R80.30 and an one of the internal applications that has been working for years without issue (Through R77.30 and R80.10) stopped working, no changes were made in the application.

After debugging we found that the packets were dropped by the signature from this post: TCP Invalid Retransmission, we fixed the issue by making an exception in the corresponding signature.

Regards,

____________
https://www.linkedin.com/in/federicomeiners/

PAUL_SAMWAYS1 · ‎2019-09-15

We had the same problem upgraded from R80.20 to R80.30 and had application stop working (internal app) TCP Invalid Retransmission.

Michael_Wood · ‎2019-11-07

Had the issue this morning - folks going to Siebel. Worked yesterday on R80.10, upgraded to R80.30 JHF Take 50 and we had issues this morning with all users.

Exception added and problem solved.

HoogliBoogli · ‎2019-11-26

Yes, we have the same Problem. After Migration from 77.30 to 80.30 we have "TCP-Retransmission Drops"

One of our internal web application working for years without issues. After this Migration the application is stopped working, no changes were made in the application.

We found…. http://[ip-address]/wording/ is working

http://[ip-address]/wording/?search=word1+word2&initSearch=2&core= is not working

If we delete the "+" sign, it is working. IT seems Checkpoint 80.30 don't like "+" signs.

We don´t use application filtering or other blades - only IPS.

Workaround: We fixed the issue by making an exception in the IPS.

Any idea what's wrong?

Benedikt_Weissl · ‎2020-08-26

I have the same problem, TAC said that an upgrade to R80.30 Take >= 214 will resolve this issue.

kfeng2020 · ‎2020-09-15

I am seeing the same issue with the TCP Invalid Retransmission to Library of Congress. Added exceptions didn't help. I tested by making Drop to Accept and works perfectly. We had the ver R80.3 and wonder if anyone else can provide some advise.

kfeng2020 · ‎2020-09-15

Did it work for you? We are running R80.3 and keeping getting problem with Library of Congress. Dropped and TCP invalid retransmission. Adding exception didn't do anything. I wonder if anyone has any other thoughts on this problem?