The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Unstable connectivity in SSL Network Extender / Endpoint in Visitor Mode (port 443)
Technical Level
Solution ID
sk121738
Technical Level
Product
SSL Network Extender
Version
R77.30, R80.10
Date Created
29-Nov-2017
Last Modified
26-May-2019
Symptoms
Initial connection to SNX works fine and traffic to authorized locations go through as well.
But, every now and then, interruptions in TCP connections occur, when SNX client is on Windows 10 (version 1607) with Anniversary Update, or higher.
The issue stands out the most in Remote Desktop session (RDP) that disconnects every random amount of time and then reconnects by itself after 10-30 seconds.
Kernel debug output shows:
DATE TIME;[cpu_1];[fw4_0];fwtls_rx_handler: cptls_rl_decrypt failed
OR DATE TIME;[cpu_0];[fw4_0];fwtls_rx_handler: Wrong version 0x936b;
Endpoint Security clients that work in Visitor Mode (TCP 443 instead of UDP 4500), may exhibit the same behavior.
Windows SNX debug output file slimscv.log shows:
[cpwssl] cpSSL_fwasync_write: 1387 bytes still pending in buffer (1358). Trying to send and signaline fwasync to retry
[cpwssl] cpSSL_fwasync_write: send returned -1: Operation would block
Cause
Windows 10 Anniversary update introduces a new TCP implementation.
The gateway incorrectly handles some TCP retransmissions of the new implementation, so packet loss can trigger the issue, even though the client retransmits it.