This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jkougoulos
Participant
‎2022-10-24 03:29 AM

R80.40 explicit proxy does not close the connection to client in certain conditions

Hi,

I have one VSX gateway configured as non-transparent proxy (r80.40 take 158) and I face a an issue that appears as random but I believe I have narrow it down to something more specific.

So, there are some web servers that do not provide "Content-Length" but they close the TCP connection at the end of the transmission eg when they transmit content in gzip format. In most cases this is not a problem, as the proxy closes the connection to the client when all data are sent.
However, when the connection of the proxy to the server is better/faster than the one to the client, which causes various re-transmissions, the proxy does not close the connection and the client stays idle. The web browser in this case looks like stalling in transfer.
I have confirmed with tcpdump/wireshark that the proxy does not send a FIN/RST when the issue happens and the issue does not seem to appear when I use squid instead of checkpoint.

I was able to reproduce this by setting up a server close to our data center and setting the client to 10mbps/half duplex. I transfer a .js file of around 1.7MB which becomes ~400kB after gzip compression.
The server (an Apache) is configured with something like the following to emulate the behavior of the server that triggered the investigation for this issue (this is for firefox > 100):

               BrowserMatch "Firefox/10" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

 

The issue is reproducible in Edge, Chrome, Firefox, curl, wget in Windows and Linux. The only client that does not show the problem is powershell or .net code using (Invoke-)WebRequest with AutomaticDecompression flag enabled.

The Gateway has HTTPS inspection enabled but the policy does not inspect the specific sites.
I have tried disabling the IPS, the issue persists.

Does the above behavior ring any bell of any kind of workaround or setting that I may miss?
Any hints on further troubleshooting, like what kind of debug commands I could enable to see any further information?

Kind regards,

John

3 Replies
_Val_
Admin
Admin
‎2022-10-24 04:09 AM

I would suggest a TAC case

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-10-24 04:15 AM

Take 161 GA contains some gzip & proxy fixes.

Suggest working the case further with TAC since you seem to have a good handle on how it can be replicated.

CCSM R77/R80/ELITE
0 Kudos
jkougoulos
Participant
‎2022-11-17 08:39 AM
In response to Chris_Atkinson

thanks for suggestions. Just as an update,  Take 180 did not fix the issue... I have to open a TAC case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events