cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
johnbadtran
New Contributor II

adtran 1335 fw config help

Jump to solution

Support,

I am trying to figure out why I am getting these messages:

rtr-oob-sfx1#   

  1. 2012.02.20 09:50:24 FIREWALL id=firewall time="2012-02-20 09:50:24" fw=rtr-oob-sfx1 pri=1 proto=64984/tcp src=10.10.202.26 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64984 from OOB policy-class on interface vlan 90" agent=AdFirewall

rtr-oob-sfx1#   

  1. 2012.02.20 09:50:24 FIREWALL id=firewall time="2012-02-20 09:50:24" fw=rtr-oob-sfx1 pri=1 proto=64984/tcp src=10.10.202.26 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64984 from OOB policy-class on interface vlan 90" agent=AdFirewall

There seems to be an issue with traffic going from OOB to BACKEND.

Attached is my config.

Thanks,

  1. John.
0 Kudos
1 Solution

Accepted Solutions
evanh
Contributor III
Contributor III

Re: adtran 1335 fw config help

Jump to solution

No there is not.  However, I would change that any-any list by adding these statements onto the end of it:

ip policy-class OOB

allow list any-any policy BACKEND stateless

ip policy-class BACKEND

allow list any-any policy OOB stateless

This allows stateless processing which will keep the firewall from dropping those packets since we assume they are trusted.  Also, currently you are allowing everything through no matter where it is destined. This allows it through only if it is destined for your other policy class.

In the GUI, you would just go to "security zones" and go inside that rule for each security zone and then:

change the destination policy class to "OOB" for backend and "BACKEND" for OOB

and also click "stateless processing"

Thanks.

View solution in original post

0 Kudos
9 Replies
evanh
Contributor III
Contributor III

Re: adtran 1335 fw config help

Jump to solution

This is a common firewall message you will see from time to time as our firewall will drop a packet it receives that has an ACK (acknowledgemen) bit set when our firewall never saw the SYN packet that would have initiated this session.  Most the time these are not things to worry about as PCs and servers can sometimes send misconfigured  packets .  However I notice the time stamps on these are about the same.  If these are very frequently showing up, I would check the IP addresses.  If its almost always the same source IP, it might be good to check out that device with Wireshark and see what type of traffic it is transmitting.  A lot of times messages like that very frequently (2 or more per second) could indicate a virus.

Let me know if you have more questions.

johnbadtran
New Contributor II

Re: adtran 1335 fw config help

Jump to solution

So there is nothing in the router config i sent you that would prevent a server in the 10.10.202.x (OOB policy) network from sshing to a host on the 10.10.200.x (BACKEND policy) network?

-John.

johnbadtran
New Contributor II

Re: adtran 1335 fw config help

Jump to solution

Again, here are the policy stmts:

ip policy-class BACKEND

  allow list self self

  allow list any-any

!

ip policy-class OOB

  allow list self self

  nat source list any-any interface vlan 9 overload policy Public

  allow list any-any

evanh
Contributor III
Contributor III

Re: adtran 1335 fw config help

Jump to solution

No there is not.  However, I would change that any-any list by adding these statements onto the end of it:

ip policy-class OOB

allow list any-any policy BACKEND stateless

ip policy-class BACKEND

allow list any-any policy OOB stateless

This allows stateless processing which will keep the firewall from dropping those packets since we assume they are trusted.  Also, currently you are allowing everything through no matter where it is destined. This allows it through only if it is destined for your other policy class.

In the GUI, you would just go to "security zones" and go inside that rule for each security zone and then:

change the destination policy class to "OOB" for backend and "BACKEND" for OOB

and also click "stateless processing"

Thanks.

View solution in original post

0 Kudos
evanh
Contributor III
Contributor III

Re: adtran 1335 fw config help

Jump to solution

John, you want it to look like this:

ip policy-class BACKEND

allow list self self

allow list any-any policy OOB stateless

!

ip policy-class OOB

allow list self self

allow list any-any policy BACKEND stateless

nat source list any-any interface vlan 9 overload policy Public

johnbadtran
New Contributor II

Re: adtran 1335 fw config help

Jump to solution

OK thanks - i made these changes. The following messages have stopped displaying on the console:

2012.02.20 12:03:40 FIREWALL id=firewall time="2012-02-20 12:03:40" fw=rtr-oob-sfx1 pri=1 proto=64376/tcp src=10.10.202.24 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64376 from OOB policy-class on interface vlan 90" agent=AdFirewall

I assume adding the stateless option is the reason why?

-John.

evanh
Contributor III
Contributor III

Re: adtran 1335 fw config help

Jump to solution

Exactly John.  The stateless option allows our firewall to process the traffic without looking for thing like the ACK bits being set so it will no longer drop that traffic.

Anonymous
Not applicable

Re: adtran 1335 fw config help

Jump to solution

:

I went ahead and marked this post as "assumed answered".  Feel free to mark any correct or helpful answers from this post.  If you still need assistance with this issue I would be more than happy to help, just let me know in a reply.

Levi

Anonymous
Not applicable

Re: adtran 1335 fw config help

Jump to solution

:

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Levi