This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Don_Paterson
Advisor
Advisor
‎2023-04-28 08:49 AM

https Traffic Dropped ... due to Out of sequence TCP packet retransmission. Stripping all packet dat

Trying to understand what the exact cause/s for this PSL drop might be.

Anyone else seen it and found out more?

Log image attached. SK reference image attached.

"https Traffic Dropped from ... to ... due to Out of sequence TCP packet retransmission. Stripping all packet data. Please refer to sk172266."

Preview file
56 KB
Preview file
53 KB
12 Replies
the_rock
Legend
Legend
‎2023-04-28 09:06 AM

I had this issue with customers couple times and below is what we did to fix it. Not saying it would work for you, but thats what did work in our case. Just need to put in affected IPs/subnets in both src/dst

Andy

 

Screenshot_1.png

 

 

Don_Paterson
Advisor
Advisor
‎2023-04-28 09:12 AM
In response to the_rock

Nice. Thanks!

I'm looking at SK122072 
https://support.checkpoint.com/results/sk/sk122072

"

Solution
These logs can be safely ignored and disabled by setting the following kernel parameter:

# fw ctl set int psl_disable_keepalive_logs 1

"

But also thinking about MTUs, ring buffer sizes and also elephant flow (Hyperflow).
https://support.checkpoint.com/results/sk/sk42181

 

EDIT:

+ This is about image files being transferred over the network.

the_rock
Legend
Legend
‎2023-04-28 09:35 AM
In response to Don_Paterson

Well, here is my logic about this, and not only this, but really any traffic problem...so IF those logs are indication of the actual issue, then it needs to be addresses. However, if you see them, but you are simply curious why they are there (but no any other problems), then those SKs would make sense.

Also, all tcp out of state means, in most simple terms, is this...communication is broken somewhere, along the way...3-way handshake is not happening properly.

Andy

0 Kudos
Don_Paterson
Advisor
Advisor
‎2023-04-28 09:39 AM
In response to the_rock

ACK. Agree.

Did you confuse Out of Sequence with Out of State? 😉


0 Kudos
the_rock
Legend
Legend
‎2023-04-28 09:43 AM
In response to Don_Paterson

I did, sorry lol. Did not get much sleep, had Fortigate cutover at 4.30 am, so my apologies.

the_rock
Legend
Legend
‎2023-04-28 09:44 AM
In response to Don_Paterson

But here is bigger question...is there an ACTUAL traffic issue, or are you simply concerned about the logs you see?

Andy

0 Kudos
Martin_Raska
Advisor
Advisor
‎2024-05-15 12:42 AM
In response to the_rock

Hi Guys,

do you have more info why it is happening? We have a lot of these drops at the customer, it is HTTPS traffic from user to Internet and in the logs is always 

Invalid segment retransmission. Packet dropped. Please refer to sk172266. Streaming Engine: TCP Invalid Retransmission

and its causing issues.

Is it related to brotli encoding or is it a general issue? - sk181282

 

 
 

 

 

Preview file
15 KB
0 Kudos
Don_Paterson
Advisor
Advisor
‎2024-07-12 04:24 AM
In response to Martin_Raska

Hi Martin,
Apologies for the late reply.

It may be best to open a ticket with TAC so that they can gather all the missing information (version, load & performance, and current configuration (including enabled blades and protections enabled, and cluster config), along with maybe packet captures).

I don't have any more information on this and only have the SKs to refer to but you could look at the Inspection Settings and look to add exceptions (screenshot attached).
If PSL is dropping (because it offers some attack prevention before IPS signature matching) then it could point to a real problem, but otherwise it might need an exception somewhere or a Check Point Hot Fix maybe(?)

 

Regards,

Don

Preview file
88 KB
0 Kudos
Martin_Raska
Advisor
Advisor
‎2024-09-04 02:55 AM
In response to Don_Paterson

Hi Don,

TAC investigated nothing, I had to do everything myself. Anyway I found two issues.

Issue one, sk122072 - 'TCP out of Sequence' logs in SmartView Tracker

the GW is marking keep-alive as a drop out of state which should not do. We have a ticket.

Issue two, a lot of ACKs are disappearing in the customer network making the retransmission Invalid and out of state, because server has data and sends ACK, FW accepts ACK, process it and after that ACK disappears. Client makes retransmission and the FW drops it because ACK has been seen and its already out of state with old seq number.

0 Kudos
Lesley
Authority Authority
Authority
‎2024-09-04 03:18 AM
In response to Martin_Raska

How did you solve the issue?

Issue one, I have changed fw ctl set int psl_disable_keepalive_logs 1

But no effect. Also curious how you solved issue 2. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Martin_Raska
Advisor
Advisor
‎2024-09-10 01:16 AM
In response to Lesley

For us this worked - fw ctl set int psl_disable_keepalive_logs 1,

we dont see keep-alives as a Drops.

Issue two, we don't know where, but it has to be the customer environment, probably core router or Asym routing which is there as we found out.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2024-09-10 01:19 AM
In response to Lesley

if it does not work for you - fw ctl set int psl_disable_keepalive_logs 1

then its probably not keep-alive traffic and something else which is making TCP retransmission out of sequence

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events