This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
evlad
Participant
‎2021-11-28 05:59 AM
Jump to solution

Why CP drops RST-ACK packets from client?

Something that I can not fully understand:
Firewall stands between Client and Server, Client working with any application on Server side through usual HTTPS session. They talking, exchange data... after small pause (1-2 min, not longer) RST-ACK packet suddenly sent from Client to Server.
And FW drop it because the packet "doesn't SYN" (I see many of them all in the LOG)!?
Why? How FW knows BEFORE Client that session was closed/terminated?
Client doesn't know this. Client may be mentioned that smth wrong in the session and wants to close it (RST). Why FW intercepts? The timeout for dead sessions is 1Hour (by CP default) and 1-2 minutes of silence is very-very far from 1Hour...

 

Any guru explanations will be appreciated,

 

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2021-11-28 11:29 PM
In response to evlad
Jump to solution

It's in the global properties > Stateful Inspection, under TCP end timeout. Basically, it's how long the gateway will wait for a FIN-ACK after seeing a FIN, or a RST-ACK after seeing a RST. Due to this, seeing RST-ACKs being dropped is pretty normal. OSs will often send a RST-ACK to close out a half-open/half-close connection, which generally won't match an existing connection.

View solution in original post

0 Kudos
12 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-11-28 07:06 AM
Jump to solution

Without seeing a packet capture showing the context in which the firewall dropped the RST-ACK it is not possible to determine why it was dropped.  Please provide a capture as well as the actual drop log card for this.

It is also possible that you are running afoul of the IPS Core Activation "Spoofed Reset", is that signature enabled in your environment?

Also any chance that there is a duplicate IP address assigned for the client?  Is the RST-ACK packet coming from the same Layer 2 MAC address involved with the successful connection packets?

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
evlad
Participant
‎2021-11-28 01:22 PM
In response to Timothy_Hall
Jump to solution

Tanks Timothy!
I will try to get Capture. But I can do this only on the FW, not on the client. Because client somewhere in the Internet (distance of many hops) and I have no possibility to ask him participate in debug (install wireshark or smth like this).
For the same reason I don't think the MAC on layer 2 matter...

And I will check "Spoofed Reset" Signature on IPS, thank You

0 Kudos
the_rock
Legend
Legend
‎2021-11-28 07:20 AM
Jump to solution

If by "doesn't SYN" (I see many of them all in the LOG)!? you mean "first packet isnt SYN? Is that what you see in the logs? If so, there could be many reasons...first, I would start by disabling securexl and see if issue goes away, but @Timothy_Hall is 100% right, we need to see packet capture to have better understanding.

Also, check out below, might be helpful:

 

https://community.checkpoint.com/t5/Security-Gateways/First-packet-isnt-SYN-r80-20/td-p/76108

Andy

0 Kudos
evlad
Participant
‎2021-11-28 01:05 PM
In response to the_rock
Jump to solution

O yes! I mean "first packet isn't SYN"... sorry about my english.
In fact I can simplify the question: how FW concludes that this is FIRST packet, not continuation of existing session? (Consider that You see sequence of accepted packets from that source IP to that Server IP just one minute before.)

the_rock
Legend
Legend
‎2021-11-28 04:10 PM
In response to evlad
Jump to solution

Hey, no worries, all good. Well, to answer your question, in simple terms, it could be determined by possibly how aggressive aging is configured and TCP timeout settings. Cant state that for certain in your case, but if you check the link I sent in my first response, it actually gives a pretty good explanation.

0 Kudos
emmap
Employee
Employee
‎2021-11-28 10:05 PM
In response to evlad
Jump to solution

The client may have sent a FIN packet earlier and not received a response, which would put the connection into a close_wait state and then timed out of the FW connection table after 5 or 20 seconds (depending on version). Then if the client is waiting another minute before RST-ACK'ing the connection out of its connection table, the connection would no longer be in the connection table on the gateway, and hence dropped out of state.

0 Kudos
evlad
Participant
‎2021-11-28 11:24 PM
In response to emmap
Jump to solution

emma, thank You so much!
This is very interesting scenario and it make sense for me. So, beside the session timeout defined 1Hour(3600sec), beside Aggressive Aging defined 10min(default), the FW has some another timeout defined 5 or 20 sec for connections in a "close_wait state"...  and the FW switch the connection to close_wait state when it met the FIN packet from any side of the connection, right?
I never read about this timeout and I will check... thank You!

0 Kudos
emmap
Employee
Employee
‎2021-11-28 11:29 PM
In response to evlad
Jump to solution

It's in the global properties > Stateful Inspection, under TCP end timeout. Basically, it's how long the gateway will wait for a FIN-ACK after seeing a FIN, or a RST-ACK after seeing a RST. Due to this, seeing RST-ACKs being dropped is pretty normal. OSs will often send a RST-ACK to close out a half-open/half-close connection, which generally won't match an existing connection.

0 Kudos
evlad
Participant
‎2021-11-29 02:44 AM
In response to emmap
Jump to solution

Thank You for answer!

0 Kudos
evlad
Participant
‎2021-11-28 01:10 PM
In response to the_rock
Jump to solution

... and yes - it's a Cluster. But I don't think the issue related ClusterXL because all LOG messages came from the same origin (same node) that is Active

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-11-28 03:41 PM
Jump to solution

Are you able to provide more context, does this happen only when the firewall policy is installed, how is your connection persistence configured?

CCSM R77/R80/ELITE
0 Kudos
max71
Participant
‎2023-05-16 05:52 AM
Jump to solution

Hi , today i have the same issues .. i do not see ant RST packet from client , but the firewall drop after RST ACK.

Have you solve the problem ? How ? thank you very much.

 

Max

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top