cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
asteriskuser
New Contributor

Can someone please define the following

Jump to solution

  We recently configured our Netvanta 3200 as follows:

  1. Removed IPUnnumbered
  2. Turned on the firewall
  3. Enabled DHCP and defined pools and rages

        

Since then, we’ve noticed three reoccurring log entries which we were hoping you could help us understand.  The one that has us most puzzled is the “Connection timed out” entry  which seems to occure about every 15 minutes, but not exactly.  The other two happen less frequently.  We’d like to know what they mean and what is causing them:

2012.02.24 10:38:17 FIREWALL id=firewall time="2012-02-24 10:38:17" fw=Adtran3200 pri=6 rule=1 proto=42834/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Service access request successful  ICMP Type: 8 Code: 0 from default policy-class on interface fr 1.500" agent=AdFirewall

2012.02.24 11:40:49 FIREWALL id=firewall time="2012-02-24 11:40:49" fw=Adtran3200 pri=6 rule=1 proto=15714/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Connection timed out.Bytes transferred : 112 from default policy-class on interface fr 1.500" agent=AdFirewall

2012.02.24 11:02:25 FIREWALL id=firewall time="2012-02-24 11:02:25" fw=Adtran3200 pri=6 rule=1  proto=https src=xxx.xxx.113.83 dst=xxx.xxx.134.158 msg="Connection closed.Bytes transferred : 3326 Src 51522 Dst 443 from default policy-class on interface fr 1.500" agent=AdFirewall

   

Your help is greatly appreciated!

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
evanh
Contributor III
Contributor III

Re: Can someone please define the following

Jump to solution

Asteriskuser,

Firewall messages are displayed any time an Adtran router drops a packet or a special firewall event occurs.  These will pop up in any situations as there are common mis-configurations on user units that can cause malformed packets that our firewall will get rid off.  It will obviously also drop packets it feels are malicious.

The first message is an ICMP message of type 8 which is an echo reply.  The firewall is simply stating here that it recieved an echo reply from something that it didn't see an echo request from.  This is a common message.

The second is a "connection timeout message" which will happen when a session is dropped for some reason or becomes idle for too long.  This, since it shows protocol ICMP, could have been a ping that was sent out opening a session, the response never came, and so the firewall shut down the session so that an illegitimate packet could not be matched to it.

The third message is a "connection closed" message.  This will have when the firewall closes a session on its own.  It can do this for many reasons, being it feels that the session is done, neither side is responding anymore, or something in the session like source and destination IPs don't match.

These are all common messages and I would not be concerned with them unless you are actually having network problems, or the same IPs frequently show up in messages.  If they do, you may want to check those devices for possible security breaches.

Thanks,

Evan

Adtran TSE

View solution in original post

0 Kudos
3 Replies
evanh
Contributor III
Contributor III

Re: Can someone please define the following

Jump to solution

Asteriskuser,

Firewall messages are displayed any time an Adtran router drops a packet or a special firewall event occurs.  These will pop up in any situations as there are common mis-configurations on user units that can cause malformed packets that our firewall will get rid off.  It will obviously also drop packets it feels are malicious.

The first message is an ICMP message of type 8 which is an echo reply.  The firewall is simply stating here that it recieved an echo reply from something that it didn't see an echo request from.  This is a common message.

The second is a "connection timeout message" which will happen when a session is dropped for some reason or becomes idle for too long.  This, since it shows protocol ICMP, could have been a ping that was sent out opening a session, the response never came, and so the firewall shut down the session so that an illegitimate packet could not be matched to it.

The third message is a "connection closed" message.  This will have when the firewall closes a session on its own.  It can do this for many reasons, being it feels that the session is done, neither side is responding anymore, or something in the session like source and destination IPs don't match.

These are all common messages and I would not be concerned with them unless you are actually having network problems, or the same IPs frequently show up in messages.  If they do, you may want to check those devices for possible security breaches.

Thanks,

Evan

Adtran TSE

View solution in original post

0 Kudos
Anonymous
Not applicable

Re: Can someone please define the following

Jump to solution

:

I went ahead and marked this post as "assumed answered".  Feel free to mark any correct or helpful answers from this post.  If you still need assistance with this issue I would be more than happy to help, just let me know in a reply.

Levi

Anonymous
Not applicable

Re: Can someone please define the following

Jump to solution

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor