Reset outside window - false alarm?

Hi, 

can you share some screenshots of this alerts? 

Hi, 

can you share some screenshots of this alerts? 

I saw that KB article yesterday, but since I never used a version pre 17.x the notifications are enabled for all devices at our customers. The screenshots above are from a customer with 4 employees, we are talking about a network with 26 devices.

The KBA is pointing about the fact of invalid traffic after V17.0 - not pre V17.0

Checked all my appliances, none of these are showing those alerts. But i use a timeout value of 24 hours. 

Just wanted to point out that I don't know that issue on my other XG appliances. Since I had another problem with that device I wanted to do a firmware downgrade, which resulted in losing most of it's configuration. I configured the same rules and IPS configuration on 17.0.9 and until now (2 days) everything is OK, not a single "Reset outside window"...

Hi,

After upgrading the firmware 17.1.3 MR-3, i got the same issue above. IPS shows many records related to TCP connection. I scanned virus for all the related devices but don't find anything. The most affected OS are iOS and macOS. I feel annoyed about this issue, how to fix it.

Best Regards,

Hi Nghia NT 

Apologies for this inconvenience,

FloSupport said:

If you (or any other community users) are affected by this issue, please raise a support case and PM me with your case ID for further investigation.

I am currently following up on this issue with our support team.

Regards,

To update our community,

This is being investigated under the issue ID: NC-39687

We will publishing more information shortly, please stay tuned.

Regards,

Hello, After I have solved some of the IPS errors with the update 17.1.3 for me once I have with some appliances in the LOG still the message "Reset ouside Window".

After a few tests of the configuration and comparison of the rules I noticed the point in the CLI.

On the left side I do not receive the message in the IPS log. In the right today already 7k.

the difference would be "Detect_Anomalies" and "TCP_Block"

Is this just an information or a value that you can edit? And if so how? Would like to test it with a smaller appliance on which I also get this error.

And just for information: The 2 appliances are completely the same configuration, both are each behind a SG with also identical configuration.

Would be great if someone has an idea about it. Then I could test this.

Thanks and best regards

Basically you can change those values. 

Simply replace show with set and try to "doubletab" through the config. 

I thought so too.

I tried it with "set ips_conf update key DETECT_ANOMALIES value no". The IPS then restarts and reports "successfully updated".
Unfortunately, the value of "show" remains the same.

Would have been just such an idea because it is on the one appliance which receives no IPS messages just different and these values ​​are not even present in the version 17.0.6

Thanks in advance and best regards

Pascal

You took the wrong path. Do not use update and ips_conf. Instead use ips.

console> set ips tcp_option detect_anomalies disable