Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3

  • Hi, 

    can you share some screenshots of this alerts? 

  • Exact same issue here.  Updated to 17.1.3 MR-3 early today and have over 5000 of these in the IPS log.  Cannot seem to track down the signature in the IPS policy.

  • In reply to Ryan Collis:

    This is new to me. But as far as i can see, this seems to be the same type like invalid traffic on XG.

    https://community.sophos.com/kb/en-us/131754

    Try to increase the Timeout value and keep an eye on those alerts. 

    Open up an Support Case to get an "official" answer to it. 

  • In reply to LuCar Toni:

    Thanks for the reply.  ill give the timeout change a try.  I am getting more of these showing now.  All are TCP related.  The connections appear to be to CDNs 

  • In reply to LuCar Toni:

    I saw that KB article yesterday, but since I never used a version pre 17.x the notifications are enabled for all devices at our customers. The screenshots above are from a customer with 4 employees, we are talking about a network with 26 devices.

  • In reply to kerobra:

    The KBA is pointing about the fact of invalid traffic after V17.0 - not pre V17.0

    Checked all my appliances, none of these are showing those alerts. But i use a timeout value of 24 hours. 

  • In reply to LuCar Toni:

    Just wanted to point out that I don't know that issue on my other XG appliances. Since I had another problem with that device I wanted to do a firmware downgrade, which resulted in losing most of it's configuration. I configured the same rules and IPS configuration on 17.0.9 and until now (2 days) everything is OK, not a single "Reset outside window"...

  • We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3

  • In reply to ken9000:

    Any chance you can post the rule responsible for this?  I can't seem to find it.

  • In reply to Ryan Collis:

    Hi  

    [Update] This KBA has been published for this issue.

    Regards,

  • In reply to Ryan Collis:

    That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.

     

    Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.

     

    Some other potential false positives with IPS we see with possible effects on legit traffic:
    "Data sent on stream after TCP Reset received" = 40,000+ times/day
    "TCP Timestamp is missing" = 10,000+ times/day
    "...Lets Encrypt SSL cert.." = 5000+ times/day

    We have about 250 users at this location.

    Will update as we find more.

  • In reply to LuCar Toni:

    Hi,

    After upgrading the firmware 17.1.3 MR-3, i got the same issue above. IPS shows many records related to TCP connection. I scanned virus for all the related devices but don't find anything. The most affected OS are iOS and macOS. I feel annoyed about this issue, how to fix it.

    Best Regards,

  • In reply to Nghia NT:

    Hi  

    Apologies for this inconvenience,

    FloSupport

    If you (or any other community users) are affected by this issue, please raise a support case and PM me with your case ID for further investigation.

    I am currently following up on this issue with our support team.

    Regards,

  • In reply to FloSupport:

    To update our community,

    This is being investigated under the issue ID: NC-39687

    We will publishing more information shortly, please stay tuned.

    Regards,

  • In reply to FloSupport:

    Hello, After I have solved some of the IPS errors with the update 17.1.3 for me once I have with some appliances in the LOG still the message "Reset ouside Window".

    After a few tests of the configuration and comparison of the rules I noticed the point in the CLI.

    On the left side I do not receive the message in the IPS log. In the right today already 7k.

    the difference would be "Detect_Anomalies" and "TCP_Block"

    Is this just an information or a value that you can edit? And if so how? Would like to test it with a smaller appliance on which I also get this error.

    And just for information: The 2 appliances are completely the same configuration, both are each behind a SG with also identical configuration.

    Would be great if someone has an idea about it. Then I could test this.

    Thanks and best regards