I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.Firmware is 17.1.3 MR3
We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3
Any chance you can post the rule responsible for this? I can't seem to find it.
Hi Ryan Collis
[Update] This KBA has been published for this issue.
That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.
Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.
Some other potential false positives with IPS we see with possible effects on legit traffic:"Data sent on stream after TCP Reset received" = 40,000+ times/day"TCP Timestamp is missing" = 10,000+ times/day"...Lets Encrypt SSL cert.." = 5000+ times/dayWe have about 250 users at this location.
Will update as we find more.