CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


** Announcing the #CPUGchallenge **

I'm very happy to announce that CPUG will be hosting "The CPUG Challenge" during CPX this year.
It promises to be a fun and interesting event that will test (and maybe even expand) your knowledge of Check Point.
Whether or not you plan to attend CPX, we have something for you. Please check out this post or the CPUGchallenge.com web site for more information. -E

 

Results 1 to 14 of 14

Thread: Connection entry is not getting removed from R75.40 even it receives a reset

  1. #1
    Join Date
    2016-03-21
    Posts
    5
    Rep Power
    0

    Default Connection entry is not getting removed from R75.40 even it receives a reset

    Hi all,

    We have a 4800 pair running R75.40 GAIA. Here is the setup we have

    Source-->Fw1(R75.40)-->Fw2(R77.20)-->-->Fw3(R77.20)-->Server

    Server has the idle session timeout value of 900 seconds and it is sending a reset packet after it doesn't see anything in the 900 secs. Fw3 , Fw2 is closing the connection after they see a reset packet but fw1 is not removing the entry from connection table.

    As source has received the reset packet, for all new connections it it will start with a tcp 3 way hand shake. Now the issue is when Fw1 sees syn packet, it is converting it to ack (smart conn reuse). But fw 2 is dropping the ack packet as it has no entry in its conn table(as it is expecting syn).

    The issue is intermittent on fw1. Is it a bug on R75.40 Version.

    We have default tcp timeout value.

    Any thoughts

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Disable Smart Connection Reuse on you R75.40 gateway.
    sk24960: "Smart Connection Reuse" feature modifies some SYN packets

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,168
    Rep Power
    7

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by Superuser123 View Post
    Hi all,

    We have a 4800 pair running R75.40 GAIA. Here is the setup we have

    Source-->Fw1(R75.40)-->Fw2(R77.20)-->-->Fw3(R77.20)-->Server

    Server has the idle session timeout value of 900 seconds and it is sending a reset packet after it doesn't see anything in the 900 secs. Fw3 , Fw2 is closing the connection after they see a reset packet but fw1 is not removing the entry from connection table.

    As source has received the reset packet, for all new connections it it will start with a tcp 3 way hand shake. Now the issue is when Fw1 sees syn packet, it is converting it to ack (smart conn reuse). But fw 2 is dropping the ack packet as it has no entry in its conn table(as it is expecting syn).

    The issue is intermittent on fw1. Is it a bug on R75.40 Version.

    We have default tcp timeout value.

    Any thoughts
    I'm not sure why the one firewall isn't removing the connection from the connection table. Do all 3 have the same IPS policy?

    Maybe check fw_trust_rst_on_port between the 3?

    I use fwconn_smart_conn_reuse=1 to disable smart reuse.

  4. #4
    Join Date
    2016-03-21
    Posts
    5
    Rep Power
    0

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jdmoore0883 View Post
    Disable Smart Connection Reuse on you R75.40 gateway.
    sk24960: "Smart Connection Reuse" feature modifies some SYN packets
    I tried disabling it. I saw drops in the logs saying. "Syn on already established connection". So I reverted it back.

  5. #5
    Join Date
    2016-03-21
    Posts
    5
    Rep Power
    0

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jflemingeds View Post
    I'm not sure why the one firewall isn't removing the connection from the connection table. Do all 3 have the same IPS policy?

    Maybe check fw_trust_rst_on_port between the 3?

    I use fwconn_smart_conn_reuse=1 to disable smart reuse.
    All the 3 firewalls don't have IPS policy..

    There is no checkpoint documentation for this connection table issue. I clearly see the entry was removed last week and we thought the issue was resolved. I cannot understand why is it being removed now.

    Note: Source uses same port when initiating the traffic.

  6. #6
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by Superuser123 View Post
    I tried disabling it. I saw drops in the logs saying. "Syn on already established connection". So I reverted it back.
    After making the change, give things time to clear out from the connections table and for the connections to try to re-establish. Try pushing policy or manually clearing the connections table.

  7. #7
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,934
    Rep Power
    10

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    When a connection is considered "over" by the firewall, the connection will still hang out in the connections table for the amount of seconds specified by TCP end timeout under Global Properties...Stateful Inspection regardless of whether Smart Reuse is on or not. Default value is 20 seconds and 5 more seconds will be added if SecureXL is enabled (fwaccel stat to check). Try lowering the TCP end timeout to 5 seconds.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,168
    Rep Power
    7

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by Superuser123 View Post
    All the 3 firewalls don't have IPS policy..

    There is no checkpoint documentation for this connection table issue. I clearly see the entry was removed last week and we thought the issue was resolved. I cannot understand why is it being removed now.

    Note: Source uses same port when initiating the traffic.
    Yeah, that sucks. I see basically two way to deal with this.

    recreate the 75.40 gateway in a lab and recreate the issue with tcpreplay or maybe netcat assuming it will let you control source port. Its a little hard to get tcpreply working but its such a great tool to learn.

    Once you've recreated the issue you can then try appling the IPS policy used on the other gateways that don't have an issue.

    you can also try upgrading the firewall. Just thinking if the other firewalls that are at a high version aren't having the issue then is worth trying. Oh and of course what shadowpeak brought up as well.

    Or you can just disable smart connection reuse with that kernel var i posted. It will allow the 2nd session through and the old tcp session will either be reused or a new one will be made and the old one will time out anyway.

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,934
    Rep Power
    10

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jflemingeds View Post
    Yeah, that sucks. I see basically two way to deal with this.

    recreate the 75.40 gateway in a lab and recreate the issue with tcpreplay or maybe netcat assuming it will let you control source port. Its a little hard to get tcpreply working but its such a great tool to learn.
    Packet Injector (Check Point's version of Cisco's Packet Tracer tool) allows specifying a source port and is much easier to use. See sk110865.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,168
    Rep Power
    7

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by ShadowPeak.com View Post
    Packet Injector (Check Point's version of Cisco's Packet Tracer tool) allows specifying a source port and is much easier to use. See sk110865.
    I really do need to take a better look at this, well assuming user center didn't go MIA.. i mean.. planned maintenance at noon on Friday. DOH!

  11. #11
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    1,934
    Rep Power
    10

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jflemingeds View Post
    I really do need to take a better look at this, well assuming user center didn't go MIA.. i mean.. planned maintenance at noon on Friday. DOH!
    I put Packet Injector through it's paces awhile back and it has come in quite handy even though it is relatively new. Can be a bit tricky getting everything exactly correct such that the destination system receiving the crafted packet will answer back, and the tool will even show you that reply packet as well.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  12. #12
    Join Date
    2016-03-21
    Posts
    5
    Rep Power
    0

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jdmoore0883 View Post
    After making the change, give things time to clear out from the connections table and for the connections to try to re-establish. Try pushing policy or manually clearing the connections table.
    Thank you JD..We are planning to upgrade the box R77.20 and see the issue is addressed. I have gone through the R75.40 known limitations article but did not find anything.

    I hope this upgrade fixes the issue.

  13. #13
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,168
    Rep Power
    7

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Quote Originally Posted by jflemingeds View Post
    I'm not sure why the one firewall isn't removing the connection from the connection table. Do all 3 have the same IPS policy?

    Maybe check fw_trust_rst_on_port between the 3?

    I use fwconn_smart_conn_reuse=1 to disable smart reuse.
    BTW this should have been

    fw_reuse_established_conn=-1
    Last edited by jflemingeds; 2017-01-20 at 14:02. Reason: ugh.. i'll get this right in a sec. :D

  14. #14
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    841
    Rep Power
    12

    Default Re: Connection entry is not getting removed from R75.40 even it receives a reset

    Just a reminder, R/5.40 is out of support for eons...
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. How to remove entry from connection table
    By slowfood27 in forum R77.30
    Replies: 5
    Last Post: 2016-05-25, 10:35
  2. SecuRemote client receives the whole topology form the gateway
    By borutko in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2011-08-16, 04:30
  3. Deleting a single connection entry
    By Felix001 in forum Miscellaneous
    Replies: 2
    Last Post: 2009-10-22, 13:48
  4. Remove specific user connection entry
    By lamerz in forum Mobile Access Blade (Formerly Connectra)
    Replies: 2
    Last Post: 2008-10-26, 09:15
  5. Forcing connection reset on Edge
    By Thieron in forum Check Point UTM-1 Edge Appliances
    Replies: 2
    Last Post: 2006-12-19, 15:58

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •