Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tim_Bernat
Contributor
Jump to solution

'Invalid segment retransmission. Packet dropped.'

Hi All, 

we have a client not able to connect to an FTP server. The connection goes through the internal firewall and then gets dropped by our external CP (80.10). The sync packet is okay, but then it is actually dropped by the same rule that should be allowing it with the 'Invalid segment retransmission. Packet dropped.' comment. Please see the below screen.

We initially thought it was down to the application (FileZilla), but it seems it's the same, for example, from win command line. 

Thank you for any comments. 

0 Kudos
1 Solution

Accepted Solutions
Tim_Bernat
Contributor

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

If you open one of those log entries, does it reference an SK?

These Inspection Settings may be relevant also:

0 Kudos
Tim_Bernat
Contributor

Thank Dameon,

sorry about replying late; it got quite hectic I was then off for some time. 

No SK, I get: 

'SmartDefense Services

An advisory for this issue is yet to be published. The information will be updated soon.'

Looking at the settings, we have this set to 'Drop' on all profiles, as recommended by CP:

 

This morning I have put a device behind the CP firewall directly on the Internet and had no problems with any FTP commands (FTP passive-mode).  

Apparently this was last used back in May, so we don't know when it stopped working. We have since moved from R77.30 to R80.10 but no access rules have been changed.

Thanks, Tim

0 Kudos
Tim_Bernat
Contributor

I ended up putting an Exception in the the Inspection Settings for 'Invalid TCP Retransmission'  to get this fixed. Not a problem, but don't understand why it was seeing the traffic as a threat in the first place. 

0 Kudos
PhoneBoy
Admin
Admin

For that we’d probably need a TAC case with packet captures of the relevant traffic.

B_P
Advisor

We got this too, but per sk98081, disabling TCP Invalid Retransmission is something "highly recommended" not to do.

Blocking stuff without any real explanation on why is Check Point's M.O. --

https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=protection&threatId=tcp_block_retr...

http://www.checkpoint.com/sdadvisories/redirector.htm?attackId=Streaming+Engine:+TCP+Invalid+Retrans....

0 Kudos
Michael_Golub
Employee Alumnus
Employee Alumnus

Just to clarify, did it drop specific packets but the connectivity remained and some packet still passed? Or from certain point all packets were dropped causing connectivity issue?

0 Kudos
B_P
Advisor

All packets are dropped.. multiple unrelated websites are not loading because of this.

0 Kudos
FedericoMeiners
Advisor

Hello,

Yesterday we migrated one member of one a cluster from R80.10 to R80.30 and an one of the internal applications that has been working for years without issue (Through R77.30 and R80.10) stopped working, no changes were made in the application.

After debugging we found that the packets were dropped by the signature from this post: TCP Invalid Retransmission, we fixed the issue by making an exception in the corresponding signature.

Regards,

 

____________
https://www.linkedin.com/in/federicomeiners/
PAUL_SAMWAYS1
Participant
We had the same problem upgraded from R80.20 to R80.30 and had application stop working (internal app) TCP Invalid Retransmission.
0 Kudos
Michael_Wood
Participant

Had the issue this morning - folks going to Siebel.  Worked yesterday on R80.10, upgraded to R80.30 JHF Take 50 and we had issues this morning with all users.

Exception added and problem solved.

0 Kudos
HoogliBoogli
Participant

Yes, we have the same Problem. After Migration from 77.30 to 80.30 we have "TCP-Retransmission Drops"

One of our internal web application working for years without issues. After this Migration the application is stopped working, no changes were made in the application.

We found…. http://[ip-address]/wording/ is working

                      http://[ip-address]/wording/?search=word1+word2&initSearch=2&core= is not working

If we delete the "+" sign, it is working. IT seems Checkpoint 80.30 don't like "+" signs.

We don´t use application filtering  or other blades - only IPS.

Workaround: We fixed the issue by making an exception in the IPS.

Any idea what's wrong?

Benedikt_Weissl
Advisor

I have the same problem, TAC said that an upgrade to R80.30 Take >= 214 will resolve this issue.

kfeng2020
Explorer

I am seeing the same issue with the TCP Invalid Retransmission to Library of Congress. Added exceptions didn't help.  I tested by making Drop to Accept and works perfectly.  We had the ver R80.3 and wonder if anyone else can provide some advise.

0 Kudos
kfeng2020
Explorer

Did it work for you?  We are running R80.3 and keeping getting problem with Library of Congress.  Dropped and TCP invalid retransmission.  Adding exception didn't do anything.  I wonder if anyone has any other thoughts on this problem? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events