Reset outside window - false alarm?

That was part of the issue that was frustrating. Even if an IPS policy wasn't applied to the firewall rule in question it would still interfere with traffic and the user would experience time-outs on business critical websites, etc. So basically it's buggy IPS in itself generating 250,000+ "reset outside window" events AND the bugged IPS it's being applied when it shouldn't be.

Support was able to change IPS to "alert" versus "drop" in the CLI and that got users going again but they've since escalated the case to the "global escalation specialists". Obviously we want IPS working as intended so it's only a workaround.

Some other potential false positives with IPS we see with possible effects on legit traffic:
"Data sent on stream after TCP Reset received" = 40,000+ times/day
"TCP Timestamp is missing" = 10,000+ times/day
"...Lets Encrypt SSL cert.." = 5000+ times/day

We have about 250 users at this location.

Will update as we find more.

Hi,

After upgrading the firmware 17.1.3 MR-3, i got the same issue above. IPS shows many records related to TCP connection. I scanned virus for all the related devices but don't find anything. The most affected OS are iOS and macOS. I feel annoyed about this issue, how to fix it.

Best Regards,

Hi Nghia NT 

Apologies for this inconvenience,

FloSupport said:

If you (or any other community users) are affected by this issue, please raise a support case and PM me with your case ID for further investigation.

I am currently following up on this issue with our support team.

Regards,

To update our community,

This is being investigated under the issue ID: NC-39687

We will publishing more information shortly, please stay tuned.

Regards,

Hello, After I have solved some of the IPS errors with the update 17.1.3 for me once I have with some appliances in the LOG still the message "Reset ouside Window".

After a few tests of the configuration and comparison of the rules I noticed the point in the CLI.

On the left side I do not receive the message in the IPS log. In the right today already 7k.

the difference would be "Detect_Anomalies" and "TCP_Block"

Is this just an information or a value that you can edit? And if so how? Would like to test it with a smaller appliance on which I also get this error.

And just for information: The 2 appliances are completely the same configuration, both are each behind a SG with also identical configuration.

Would be great if someone has an idea about it. Then I could test this.

Thanks and best regards

Basically you can change those values. 

Simply replace show with set and try to "doubletab" through the config. 

I thought so too.

I tried it with "set ips_conf update key DETECT_ANOMALIES value no". The IPS then restarts and reports "successfully updated".
Unfortunately, the value of "show" remains the same.

Would have been just such an idea because it is on the one appliance which receives no IPS messages just different and these values ​​are not even present in the version 17.0.6

Thanks in advance and best regards

Pascal

You took the wrong path. Do not use update and ips_conf. Instead use ips.

console> set ips tcp_option detect_anomalies disable

Ahhh thanks :) It had tried so because it was not displayed to me with tab as an option.

But that actually seems to cause it. After the change no "Reset outside window" messages in the IPS log.

Now set up your own IPS rules for existing firewall rules and then that's ok.

Thank you and best regards

solution in the KB article ;)

community.sophos.com/.../133096