This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rabindra_Khadka
Contributor
‎2020-06-21 04:39 AM
Jump to solution

Traffic is being block with the reason connection terminated before detection

Dear @PhoneBoy and @Teams

I have been facing this issue for long time. Actually i have two image to show you as a case

Case : Image 1 

On the first image the traffic is seen as accept by rule 21.1 with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on rule 21.2 which is a accept rule on port 80.

Results: The connection was block even though there is a accept policy rule 21.2 for this traffic.

 

 Case : Image 2 

On the Second image the traffic is seen as drop by rule Sub Cleanup Rule with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on Sub-Cleanup Rule which is a drop rule for unmatched traffic.

Results: The connection was block by the Sub Cleanup Rule but unfortunately we can see the traffic is being passed and is allowed on the core firewall where there is the policy for this traffic. 

 

Conclusion: 

Can you Please explain me what does Connection terminated before detection: Insufficient data passed. To learn more see sk113479 means. This reason is seen on both accept and drop logs and when it says accept the traffic is actually still block and when it say drop by external firewall the same traffic is seen as allow in internal firewall with the same checkpoint vendor firewall. What kind of this behavior it is i really can't understand. i have verify all the policy rule and the traffic, all the source ip and destination ip and the service port is the same. Also have latest hotfix installed for r80.20.

@PhoneBoy  Need your help to understand this. there might be some explanation or solution for this.

 

Preview file
103 KB
(1)
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-06-21 08:52 AM
Jump to solution

The SK referenced in the error is fairly clear: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You need to dig into both logs to determine the precise reason.
For a little background on the problem of detecting applications in connections in general, see: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/

View solution in original post

0 Kudos
17 Replies
PhoneBoy
Admin
Admin
‎2020-06-21 08:52 AM
Jump to solution

The SK referenced in the error is fairly clear: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You need to dig into both logs to determine the precise reason.
For a little background on the problem of detecting applications in connections in general, see: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/
0 Kudos
Kaloyan_Kirchev
Contributor
‎2020-07-13 01:20 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy Any idea how to workaround this "Connection terminated before detection: Insufficient data. <X> bytes passed"

How to disable engine/application detection for a specific traffic? I just want it to pass.

FW accelerator ? Or something else?

Thanks in advance.

0 Kudos
Guo_Zhang
Participant
‎2020-07-13 06:29 AM
In response to Kaloyan_Kirchev
Jump to solution

We had same issue on r80.30 with latest Jumbo hotfix.

Any help will be appreciated.

Thanks 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-13 10:59 AM
In response to Kaloyan_Kirchev
Jump to solution

The traffic is already passing.
The log message is explicitly telling you this.
0 Kudos
Kaloyan_Kirchev
Contributor
‎2020-07-14 05:40 AM
In response to PhoneBoy
Jump to solution

Due to logs traffic is accepted. 

BUT the application(3rd party manually written software) obviously was not working.

The "fw ctl fast_accel" on the exact traffic seems to solve the problem.

In fact did it use more memory? For a couple of days appliance(5200) is not going under 90% of RAM usage.

Also some "java" is eating CPU. I can post images from "top, free -m" etc.

I see there is new JHF but it probably would need a restart and I will wait for non-working hours.

0 Kudos
Guo_Zhang
Participant
‎2020-07-14 06:17 AM
In response to PhoneBoy
Jump to solution

 

 

Thanks your reply.

I did see log shows "accept". but it also says "connection terminated"

if firewall honor the connection, it should say "connection NOT terminated". kind of confuse.

I see at least two different scenario:

1: the TCP session did not finish 3 way handshake and get "connection terminated"

2: sever sent syn ack, client "reset" connection and get "connection terminated"

Kaloyan_Kirchev
Contributor
‎2020-07-14 06:23 AM
In response to Guo_Zhang
Jump to solution

In my case CP logs state that there is too little data info for inspection engine to understand the application.

I understand it this way - application sending different MTU packets or app data in packets is not standart.

Port is standart 80/443 but app itself could open some higher unknown ports.

There is an SK above, take a look. It helped me.

Rather than this solution for me was FW accelerator:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

PhoneBoy
Admin
Admin
‎2020-07-14 09:42 AM
In response to Guo_Zhang
Jump to solution

To be clear, the message means: "We allowed the connection and it terminated before we could fully classify what application it was."
That means it completed the three-way handshake, passed a small amount of data, and terminated successfully.

0 Kudos
Kaloyan_Kirchev
Contributor
‎2020-07-14 01:40 PM
In response to PhoneBoy
Jump to solution

Could this be a reason for APP or URL filter to block the app? Because it is "unknown"?

In URL I have Cleanup accept all rule - should not be this one.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-14 03:40 PM
In response to Kaloyan_Kirchev
Jump to solution

App Control or URL Filtering requires a certain amount of traffic to pass to positively classify traffic, as described here: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/ 
If it hasn't classified the traffic after a certain number of bytes, it's classified as "Unknown" and if your policy is configured to block that, it will.

0 Kudos
User-checkpoint
Explorer
‎2020-07-14 10:07 AM
Jump to solution

Hi @Rabindra_Khadka ,

I face same issue two weeks back, the issue was the return traffic arrives at the different interface, please capture tcpdump on incoming and outgoing interface to make sure that traffic is flowing without any issue. before go for deep troubleshooting.

Best Regards,

0 Kudos
Guo_Zhang
Participant
‎2020-07-15 04:00 AM
In response to User-checkpoint
Jump to solution

Thanks all your guys respond.

The information you provided are valuable to me. CheckMates community is  a great platform. 

andre1gordo
Explorer
‎2020-07-28 12:14 PM
In response to Guo_Zhang
Jump to solution

Did you manage to fix the issue? how?

0 Kudos
Johannes_Bachma
Participant
‎2020-07-29 04:53 AM
In response to andre1gordo
Jump to solution

Have you already checked the possible solution from @User-checkpoint ?

We also had the same issue and found out that we had a asymentric routing in a very specific scenario. After we solved the routing issue, we didnt get the "Connection terminated before detection: Insufficient data passed.anymore.

0 Kudos
tgrbtly
Explorer
‎2020-09-09 02:32 AM
Jump to solution

We have almost same stiuation here, traffic should be dropped by our policy but when we look at logs, logs are accept but its said connection terminated before detection. There is no any routing issues. Checkpoint support said firewall did not block any traffic when you see these logs but it seems do.

0 Kudos
bklujan28
Explorer
‎2020-12-09 01:31 PM
Jump to solution

Hi, we have a similar issue, but in this case the rulebase is configured with Ordered Layers and traffic is allowed on both layers, but you still see the message "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." And so users report that the connection is interrupted or they have time-out errors or that they simply can't start the connection. I should even mention that there is a bypass rule for this traffic. See the logs.

Preview file
12 KB
Preview file
14 KB
Preview file
3 KB
0 Kudos
Julian_Sanchez
Collaborator
‎2022-06-22 07:44 AM
In response to bklujan28
Jump to solution

We have the same problem. The traffic show passed and accepted, the trafffic show bypass too. However, we had problem with the application. Any workaround or solve this case?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events