This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mikel_Aanstoot
Contributor
‎2019-10-02 02:36 AM

sysctl net.ipv4.tcp_timestamps

Hi, we see on a checkpoint 5900 R80.10 cluster when Mac and Linux clients are going to certain websites that those websites load very slow or not at all. In tcpdump traces we see a lot of retransmission and dup ack's stalling the TCP session. In Windows we do not see this behaviour at all. We finally found this to happen when on the client this is set: net.ipv4.tcp_timestamps=1. In Linux you can disable this and then we do not see this issue but on Mac since El Capitan you can not disable this anymore. When you change this setting on a Windows client by netsh int tcp set global timestamps=enabled  than you have the same behaviour. When using a proxy server for Mac clients with the tcp timestamps setting disabled also this problem disappears.

When the Mac and Linux clients are connected to a 1490 SMB this behaviour does not appear, so it is the combination client, Mac & Linux with net.ipv4.tcp_timestamps=1 set and our Checkpoint 5900 with R80.10 (although we also saw this on a 12210 with R77.x in 2016 when  Mac went to Yosemite. We could only replicate it then when the Checkpoint had a high load and this behaviour disappeared after some tweaking with the multiple processors and added more memory.)

On the gateway policy we disabled all IPS, TCP Inspection settings but problem persists. Anybody else aware of some setting so the checkpoint works good with clients with tcp timestamps enabled ?

kind regards,

Mikel Aanstoot

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-10-02 05:20 AM

What about disabling it following  sk62700: How to disable TCP timestamps (RFC 1323) ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mikel_Aanstoot
Contributor
‎2019-10-03 01:42 AM
In response to G_W_Albrecht

Hi, thanks for the reaction. According to the note below the SK: Note: This change will only be applied to local connections (connections where the source or destination is the gateway). 

So not sure if this will work ?

kind regards,Mikel

 

0 Kudos
Mikel_Aanstoot
Contributor
‎2019-11-18 10:41 PM
In response to Mikel_Aanstoot

FYI: We have opened a TAC case for this and Checkpoint confirmed our issue. We have received a HotFix for this issue and this seems to work perfectly. We only find it surprising that not more companies/people are affected by this behaviour. We don't have that specific config and would have expected that any Mac / Linux client could have experienced this issue.

Mikel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events