Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rabindra_Khadka
Contributor

Traffic is being block with the reason connection terminated before detection

Dear @PhoneBoy and @Teams

I have been facing this issue for long time. Actually i have two image to show you as a case

Case : Image 1 

On the first image the traffic is seen as accept by rule 21.1 with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on rule 21.2 which is a accept rule on port 80.

Results: The connection was block even though there is a accept policy rule 21.2 for this traffic.

 

 Case : Image 2 

On the Second image the traffic is seen as drop by rule Sub Cleanup Rule with the reason Connection terminated before detection: Insufficient data passed. To learn more see sk113479.

This traffic is also match on Sub-Cleanup Rule which is a drop rule for unmatched traffic.

Results: The connection was block by the Sub Cleanup Rule but unfortunately we can see the traffic is being passed and is allowed on the core firewall where there is the policy for this traffic. 

 

Conclusion: 

Can you Please explain me what does Connection terminated before detection: Insufficient data passed. To learn more see sk113479 means. This reason is seen on both accept and drop logs and when it says accept the traffic is actually still block and when it say drop by external firewall the same traffic is seen as allow in internal firewall with the same checkpoint vendor firewall. What kind of this behavior it is i really can't understand. i have verify all the policy rule and the traffic, all the source ip and destination ip and the service port is the same. Also have latest hotfix installed for r80.20.

@PhoneBoy  Need your help to understand this. there might be some explanation or solution for this.

 

0 Kudos
Reply
16 Replies
PhoneBoy
Admin
Admin

The SK referenced in the error is fairly clear: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You need to dig into both logs to determine the precise reason.
For a little background on the problem of detecting applications in connections in general, see: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/
0 Kudos
Reply
Kaloyan_Kirchev
Contributor

@PhoneBoy Any idea how to workaround this "Connection terminated before detection: Insufficient data. <X> bytes passed"

How to disable engine/application detection for a specific traffic? I just want it to pass.

FW accelerator ? Or something else?

Thanks in advance.

0 Kudos
Reply
Guo_Zhang
Participant

We had same issue on r80.30 with latest Jumbo hotfix.

Any help will be appreciated.

Thanks 

0 Kudos
Reply
PhoneBoy
Admin
Admin

The traffic is already passing.
The log message is explicitly telling you this.
0 Kudos
Reply
Kaloyan_Kirchev
Contributor

Due to logs traffic is accepted. 

BUT the application(3rd party manually written software) obviously was not working.

The "fw ctl fast_accel" on the exact traffic seems to solve the problem.

In fact did it use more memory? For a couple of days appliance(5200) is not going under 90% of RAM usage.

Also some "java" is eating CPU. I can post images from "top, free -m" etc.

I see there is new JHF but it probably would need a restart and I will wait for non-working hours.

0 Kudos
Reply
Guo_Zhang
Participant

 

 

Thanks your reply.

I did see log shows "accept". but it also says "connection terminated"

if firewall honor the connection, it should say "connection NOT terminated". kind of confuse.

I see at least two different scenario:

1: the TCP session did not finish 3 way handshake and get "connection terminated"

2: sever sent syn ack, client "reset" connection and get "connection terminated"

Kaloyan_Kirchev
Contributor

In my case CP logs state that there is too little data info for inspection engine to understand the application.

I understand it this way - application sending different MTU packets or app data in packets is not standart.

Port is standart 80/443 but app itself could open some higher unknown ports.

There is an SK above, take a look. It helped me.

Rather than this solution for me was FW accelerator:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

PhoneBoy
Admin
Admin

To be clear, the message means: "We allowed the connection and it terminated before we could fully classify what application it was."
That means it completed the three-way handshake, passed a small amount of data, and terminated successfully.

0 Kudos
Reply
Kaloyan_Kirchev
Contributor

Could this be a reason for APP or URL filter to block the app? Because it is "unknown"?

In URL I have Cleanup accept all rule - should not be this one.

0 Kudos
Reply
PhoneBoy
Admin
Admin

App Control or URL Filtering requires a certain amount of traffic to pass to positively classify traffic, as described here: https://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/ 
If it hasn't classified the traffic after a certain number of bytes, it's classified as "Unknown" and if your policy is configured to block that, it will.

0 Kudos
Reply
User-checkpoint
Explorer

Hi @Rabindra_Khadka ,

I face same issue two weeks back, the issue was the return traffic arrives at the different interface, please capture tcpdump on incoming and outgoing interface to make sure that traffic is flowing without any issue. before go for deep troubleshooting.

Best Regards,

0 Kudos
Reply
Guo_Zhang
Participant

Thanks all your guys respond.

The information you provided are valuable to me. CheckMates community is  a great platform. 

andre1gordo
Explorer

Did you manage to fix the issue? how?

0 Kudos
Reply
Johannes_Bachma
Participant

Have you already checked the possible solution from @User-checkpoint ?

We also had the same issue and found out that we had a asymentric routing in a very specific scenario. After we solved the routing issue, we didnt get the "Connection terminated before detection: Insufficient data passed.anymore.

0 Kudos
Reply
tgrbtly
Explorer

We have almost same stiuation here, traffic should be dropped by our policy but when we look at logs, logs are accept but its said connection terminated before detection. There is no any routing issues. Checkpoint support said firewall did not block any traffic when you see these logs but it seems do.

0 Kudos
Reply
bklujan28
Explorer

Hi, we have a similar issue, but in this case the rulebase is configured with Ordered Layers and traffic is allowed on both layers, but you still see the message "Connection terminated before detection: Insufficient data passed. To learn more see sk113479." And so users report that the connection is interrupted or they have time-out errors or that they simply can't start the connection. I should even mention that there is a bypass rule for this traffic. See the logs.

0 Kudos
Reply