This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tim_Bernat
Contributor
‎2018-12-07 03:56 AM
Jump to solution

'Invalid segment retransmission. Packet dropped.'

Hi All, 

we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.

We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. 

Thank you for any comments. 

0 Kudos
1 Solution

Accepted Solutions
Tim_Bernat
Contributor
‎2019-01-30 05:01 AM
In response to Tim_Bernat
Jump to solution

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin
‎2018-12-07 11:50 AM
Jump to solution

If you open one of those log entries, does it reference an SK?

These Inspection Settings may be relevant also:

0 Kudos
Tim_Bernat
Contributor
‎2019-01-30 02:36 AM
In response to PhoneBoy
Jump to solution

Thank Dameon,

sorry about replying late; it got quite hectic I was then off for some time. 

No SK, I get: 

'SmartDefense Services

An advisory for this issue is yet to be published. The information will be updated soon.'

Looking at the settings, we have this set to 'Drop' on all profiles, as recommended by CP:

 

This morning I have put a device behind the CP firewall directly on the Internet and had no problems with any FTP commands (FTP passive-mode).  

Apparently this was last used back in May, so we don't know when it stopped working. We have since moved from R77.30 to R80.10 but no access rules have been changed.

Thanks, Tim

0 Kudos
Tim_Bernat
Contributor
‎2019-01-30 05:01 AM
In response to Tim_Bernat
Jump to solution

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-30 07:37 AM
In response to Tim_Bernat
Jump to solution

For that we’d probably need a TAC case with packet captures of the relevant traffic.

B_P
Advisor
‎2019-05-28 10:07 AM
In response to Tim_Bernat
Jump to solution

We got this too, but per sk98081, disabling TCP Invalid Retransmission is something "highly recommended" not to do.

Blocking stuff without any real explanation on why is Check Point's M.O. --

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=protection&threatId=tcp_block_retr...

http://www.checkpoint.com/sdadvisories/redirector.htm?attackId=Streaming+Engine:+TCP+Invalid+Retrans....

0 Kudos
Michael_Golub
Employee Alumnus
Employee Alumnus
‎2019-05-29 08:05 AM
Jump to solution

Just to clarify, did it drop specific packets but the connectivity remained and some packet still passed? Or from certain point all packets were dropped causing connectivity issue?

0 Kudos
B_P
Advisor
‎2019-05-29 11:54 AM
In response to Michael_Golub
Jump to solution

All packets are dropped.. multiple unrelated websites are not loading because of this.

0 Kudos
FedericoMeiners
Advisor
‎2019-07-16 05:10 AM
Jump to solution

Hello,

Yesterday we migrated one member of one a cluster from R80.10 to R80.30 and an one of the internal applications that has been working for years without issue (Through R77.30 and R80.10) stopped working, no changes were made in the application.

After debugging we found that the packets were dropped by the signature from this post: TCP Invalid Retransmission, we fixed the issue by making an exception in the corresponding signature.

Regards,

 

____________
https://www.linkedin.com/in/federicomeiners/
PAUL_SAMWAYS1
Participant
‎2019-09-15 10:38 PM
In response to FedericoMeiners
Jump to solution

We had the same problem upgraded from R80.20 to R80.30 and had application stop working (internal app) TCP Invalid Retransmission.
0 Kudos
Michael_Wood
Participant
‎2019-11-07 11:08 AM
In response to PAUL_SAMWAYS1
Jump to solution

Had the issue this morning - folks going to Siebel.  Worked yesterday on R80.10, upgraded to R80.30 JHF Take 50 and we had issues this morning with all users.

Exception added and problem solved.

0 Kudos
HoogliBoogli
Participant
‎2019-11-26 06:29 AM
In response to Michael_Wood
Jump to solution

Yes, we have the same Problem. After Migration from 77.30 to 80.30 we have "TCP-Retransmission Drops"

One of our internal web application working for years without issues. After this Migration the application is stopped working, no changes were made in the application.

We found…. http://[ip-address]/wording/ is working

                      http://[ip-address]/wording/?search=word1+word2&initSearch=2&core= is not working

If we delete the "+" sign, it is working. IT seems Checkpoint 80.30 don't like "+" signs.

We don´t use application filtering  or other blades - only IPS.

Workaround: We fixed the issue by making an exception in the IPS.

Any idea what's wrong?

Benedikt_Weissl
Advisor
‎2020-08-26 01:47 AM
In response to HoogliBoogli
Jump to solution

I have the same problem, TAC said that an upgrade to R80.30 Take >= 214 will resolve this issue.

kfeng2020
Explorer
‎2020-09-15 01:12 PM
In response to Benedikt_Weissl
Jump to solution

I am seeing the same issue with the TCP Invalid Retransmission to Library of Congress. Added exceptions didn't help.  I tested by making Drop to Accept and works perfectly.  We had the ver R80.3 and wonder if anyone else can provide some advise.

0 Kudos
kfeng2020
Explorer
‎2020-09-15 01:15 PM
In response to Benedikt_Weissl
Jump to solution

Did it work for you?  We are running R80.3 and keeping getting problem with Library of Congress.  Dropped and TCP invalid retransmission.  Adding exception didn't do anything.  I wonder if anyone has any other thoughts on this problem? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top