This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Karlsson
Participant
‎2018-12-14 06:57 AM

Microsoft Exchange Online Protection and TCP segment out of maximum allowed sequence. Packet dropped.

We have recently seen an increasing amount of drops due to "TCP segment out of maximum allowed sequence."

After contact with support we are provided sk66576.
The issue is thus related to tcp window size and the firewall will drop a session after not seeing the expected ACK after 16384 bytes by default.
The recommendation as per the SK is to gradually increase this until the drops disappear or the security gateway gets low on memory.

However, after some analysis it seems that the involved sources and destinations are all related to Office365 for users https connections and Microsoft Exchange Online Protection for SMTP.

Are we the only ones seeing this issues? Did Microsoft update their services to use more aggressive settings?

Any insight or shared experience will be greatly appreciated.

2 Replies
Alisson_Lima
Contributor
‎2018-12-15 09:18 AM

Hi Daniel,

This is a behavior a lot complex. Like you mentioned, the drops ocurred with requests to Office 365 and the, It's possible create a exception in this signature? Besides that:

1 - What's firewall version and take release you are using?

Regards,

Alisson Lima

0 Kudos
Daniel_Karlsson
Participant
‎2018-12-17 12:51 AM
In response to Alisson_Lima

Hello Alison

We added an execption for the threat and that works well of course. However I have read in other threads that this may in fact put all inspection out of order. This it not yet 100% determined.

We use R80.10 HFA Take 103
(We attempted Take 154 but had to back out due to issues with certain sensitive traffic.)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events