Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
First observed with SQL traffic, which may intermittently start to fail through FTD with no drop reason visible in lina asp drop capture or snort drop/blacklist verdict with SQL Error code 08S01 (An existing connection was forcibly closed by the remote host) TCP traffic that gets RST by the server with a lot of stream_tcp.invalid_seq and stream_tcp.invalid_ack along with stream_tcp.exceeded_max_segs/stream_tcp.exceeded_max_bytes MAY be a sign of 08S01. Look out for any sequence number wrap-arounds for a different flavor of this bug as well.
This TCP traffic failure was observed first after the upgrade to 7.2.5.1, when large amounts of SQL traffic traversed the device.
Prefilter fast path SQL or the affected TCP traffic.
If you are suspecting you are hitting this issue, please collect the following: 1) System support trace containing the syn packet of the flow to the closure of the flow 2) capture-traffic from FTD clish ( > ) from syn to failure 3) ingress and egress interface capture from lina (system support diagnostic cli). Important note: The fix for this defect introduces additional security checks for the Transmission Control Protocol (TCP) sequence numbers and calculated window size check. In the example of a TCP connection between peers A and B, if the current packet sequence number from A is greater than the sum of the last acknowledge number and current window size of B, then the snort engine running in inline mode effectively blocks current and subsequent packets. In other words, if the bytes in flight from peer A is greater than the calculated window size of B, then the snort engine running in inline mode effectively blocks current and subsequent packets. In this example, BIF is "Bytes in flight", CWD - calculated window size. Peer B's calculated 14520 (line 2, CWS=14520). A keeps sending seqments without an acknowledgment from B. Notice, that starting from line 14, A sequence number is greater than last ACK and CWS from B (line 2: ACK=689738077 + CWS=14520 = 689752597). Additionally, at lines 13-15 BIF of A exceeds B CWS. 1. A: SEQ=689738077, ACK=0, CWS=65535 2. B: SEQ=2257542582, ACK=689738077, CWS=14520 3. A: SEQ=689738077, ACK=2257542583, BIF=703 ,CWS=4194240 4. A: SEQ=689738780, ACK=2257542583, BIF=2143, CWS=4194240 5. A: SEQ=689740220, ACK=2257542583, BIF=3583, CWS=4194240 6. A: SEQ=689741660, ACK=2257542583, BIF=5023, CWS=4194240 7. A: SEQ=689743100, ACK=2257542583, BIF=6463, CWS=4194240 8. A: SEQ=689744540, ACK=2257542583, BIF=7903, CWS=4194240 9. A: SEQ=689745980, ACK=2257542583, BIF=9343, CWS=4194240 10. A: SEQ=689747420, ACK=2257542583, BIF=10783, CWS=4194240 11. A: SEQ=689748860, ACK=2257542583, BIF=12223, CWS=4194240 12. A: SEQ=689750300, ACK=2257542583, BIF=13663, CWS=4194240 13. A: SEQ=689751740, ACK=2257542583, BIF=15103, CWS=4194240 14. A: SEQ=689753180, ACK=2257542583, BIF=16543, CWS=4194240 15. A: SEQ=689754620, ACK=2257542583, BIF=17087, CWS=4194240 The output of the system support trace command shows errors in the TCP normalizer and the block verdict for SEQ=689753180 and SEQ=689754620: 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Packet 46: TCP ***A****, 03/04-13:37:51.330991, seq 689753180, ack 2257542583, dsize 1440 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Normalizer: Sequence number is invalid <----------- 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Normalizer: Trimming payload with length (1440) to a maximum value of 0 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 AppID: service: HTTP(676), client: (0), payload: (-1), misc: (0) 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Policies: Network 0, Inspection 0, Detection 3 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Verdict: block <----------- 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Verdict Reason: stream, allow 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Packet 47: TCP ***A****, 03/04-13:37:51.330991, seq 689754620, ack 2257542583, dsize 544 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Normalizer: Sequence number is invalid <----------- 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Normalizer: Trimming payload with length (544) to a maximum value of 0 <----------- 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 AppID: service: HTTP(676), client: (0), payload: (-1), misc: (0) 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Policies: Network 0, Inspection 0, Detection 3 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Verdict: block <----------- 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Verdict Reason: stream, allow 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 File policy verdict is Type and Malware 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 File type policy, 2, has no data for file type 69 with app 0 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Deleting Firewall session flags=0x40012040, logFlags=0x1000 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 Generating an EOF event with rule_id = 268444675 ruleAction = 2 ruleReason = 0 192.0.2.1 49631 -> 192.0.2.2 443 6 AS=5 ID=19 flow setup event In TCP connections, packets with sequence numbers should be within the acceptable range of the receiver's TCP window.