This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reset outside window - false alarm?

I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.
Firmware is 17.1.3 MR3



This thread was automatically locked due to age.
Parents
  • We are getting thousands of these per day as well. I suspect it was affecting functionality on some of the sites our users visit. They were complaining of intermittent time-outs. Support was able to change IPS to "detect" versus "drop" somehow in the CLI even though IPS was diasabled on the rules in question. He seemed to realize quickly it was a known issue and escalated my case after grabbing some logs. v17.1.3 MR-3

  • Any chance you can post the rule responsible for this?  I can't seem to find it.

  • Hi  

    [Update] This KBA has been published for this issue.

    Regards,


    Florentino
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.

     

    Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.

     

    Some other potential false positives with IPS we see with possible effects on legit traffic:
    "Data sent on stream after TCP Reset received" = 40,000+ times/day
    "TCP Timestamp is missing" = 10,000+ times/day
    "...Lets Encrypt SSL cert.." = 5000+ times/day

    We have about 250 users at this location.

    Will update as we find more.

Reply
  • That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.

     

    Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.

     

    Some other potential false positives with IPS we see with possible effects on legit traffic:
    "Data sent on stream after TCP Reset received" = 40,000+ times/day
    "TCP Timestamp is missing" = 10,000+ times/day
    "...Lets Encrypt SSL cert.." = 5000+ times/day

    We have about 250 users at this location.

    Will update as we find more.

Children
No Data