@the_rock 

Thanks for the quick reply. All SRC & DST IP's are on the captured packets. 

K, sounds good! Just finishing up an Azure lab, will check soon.

Andy

I checked few streams and to me, appears server is NOT sending syn-ack, which it should

Andy

Okay. Thanks.

May be can you check the one named with Server2 and server 2 - retried

Of course I can. I got a call in 20 mins, but can also check it while on that call, but let me do it now.

Andy

Well, one seems worse, as it shows syn and syn-ack absent. The send one is the same.

Maybe do capture like this, dont output into a file and see what you get

Idea is (srcip,srcport,dstip,dstport, protocol), 

So, in your case, lets say port is 443, lets pretend ip's are 1.1.1.1 and 2.2.2.2

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

Andy

 You can also do zdebug as below, just replace with right IPs

fw ctl zdebug + drop | grep x.x.x.x | grep y.y.y.y

fw ctl debug 0 to turn off debugs

so, which server is not sending proper ack/syn messages?

And what do you suggest

I cant recall now, can check again soon. Do you have working capture?

right now not. but i can do early morning

Just finished my call, let me check again.

Andy

Every packet I check, you see this.

Andy

@the_rock 

Is it possible to only allow the access on Network only. I mean with out Application and URL for this specific rule.

Yes, 100%. If you have say 2 ordered layers, just make sure its allowed on both, but 2nd layer can have any any allow at the bottom, but be configured for urlf+app  blades.

Andy

Ok. We have suspected that if there is any URL/Application control is blocking it. And If there is any filtering on it.

As I told you yesterday when we do the capture from campus network (Bypassing Checkpoint) all requests are getting the response with in seconds. Sample is 100 request

Here is good reference for the layered rules. I have real good document I made about it, but its on my work laptop, so can send tomorrow.

Andy

All you need to remember is this...IF there are multiple ordered layers, traffic has to be accepted on ALL of them.

https://community.checkpoint.com/t5/General-Topics/What-is-the-point-of-ordered-layers-for-Accept-ru...

If you send a screenshot oh how policy layers are configured, I can tell you if something is wrong. Just blur out any sensitive details.

Hey mate,

Since Im just watching some Euro cup football (or as our American friends call it soccer (well us Canadians too : - ), which I think is incorrect, as you play it with your feet lol), but anyway, cheering for Croatia, which is getting destroyed by Spain, as they are closest to where I grew up, Montenegro, and we did not even qualify, since we SUCK lol

Anywho, I attached a document with layred rules examples from my lab. If you need help or not clear, let me know, we can do remote session.

Best,

Andy

@the_rock 
I have executed fw ctl zdebug + drop | grep x.x.x.x | grep y.y.y.y during the capture by replacing the IP's, but there is no rule that can drop this connection.

@the_rock 

Thanks for the support. The problem is found at the destination side, there is a retransmission configuration and we have disabled that one. Now everything is working fine.