9 Replies Latest reply on Feb 15, 2013 11:17 AM by levi

    adtran 1335 fw config help

    johnbadtran New Member

      Support,

       

      I am trying to figure out why I am getting these messages:

       

      rtr-oob-sfx1#   

      1. 2012.02.20 09:50:24 FIREWALL id=firewall time="2012-02-20 09:50:24" fw=rtr-oob-sfx1 pri=1 proto=64984/tcp src=10.10.202.26 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64984 from OOB policy-class on interface vlan 90" agent=AdFirewall

       

      rtr-oob-sfx1#   

      1. 2012.02.20 09:50:24 FIREWALL id=firewall time="2012-02-20 09:50:24" fw=rtr-oob-sfx1 pri=1 proto=64984/tcp src=10.10.202.26 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64984 from OOB policy-class on interface vlan 90" agent=AdFirewall

       

      There seems to be an issue with traffic going from OOB to BACKEND.

       

      Attached is my config.

       

      Thanks,

      1. John.
        • Re: adtran 1335 fw config help
          evanh Employee

          This is a common firewall message you will see from time to time as our firewall will drop a packet it receives that has an ACK (acknowledgemen) bit set when our firewall never saw the SYN packet that would have initiated this session.  Most the time these are not things to worry about as PCs and servers can sometimes send misconfigured  packets .  However I notice the time stamps on these are about the same.  If these are very frequently showing up, I would check the IP addresses.  If its almost always the same source IP, it might be good to check out that device with Wireshark and see what type of traffic it is transmitting.  A lot of times messages like that very frequently (2 or more per second) could indicate a virus.

           

          Let me know if you have more questions.

            • Re: adtran 1335 fw config help
              johnbadtran New Member

              So there is nothing in the router config i sent you that would prevent a server in the 10.10.202.x (OOB policy) network from sshing to a host on the 10.10.200.x (BACKEND policy) network?

               

              -John.

                • Re: adtran 1335 fw config help
                  johnbadtran New Member

                  Again, here are the policy stmts:

                   

                  ip policy-class BACKEND

                    allow list self self

                    allow list any-any

                  !

                  ip policy-class OOB

                    allow list self self

                    nat source list any-any interface vlan 9 overload policy Public

                    allow list any-any

                    • Re: adtran 1335 fw config help
                      evanh Employee

                      John, you want it to look like this:

                       

                      ip policy-class BACKEND

                      allow list self self

                      allow list any-any policy OOB stateless

                      !

                      ip policy-class OOB

                      allow list self self

                      allow list any-any policy BACKEND stateless

                      nat source list any-any interface vlan 9 overload policy Public

                       

                    • Re: adtran 1335 fw config help
                      evanh Employee

                      No there is not.  However, I would change that any-any list by adding these statements onto the end of it:

                       

                      ip policy-class OOB

                      allow list any-any policy BACKEND stateless

                       

                      ip policy-class BACKEND

                      allow list any-any policy OOB stateless

                       

                      This allows stateless processing which will keep the firewall from dropping those packets since we assume they are trusted.  Also, currently you are allowing everything through no matter where it is destined. This allows it through only if it is destined for your other policy class.

                       

                      In the GUI, you would just go to "security zones" and go inside that rule for each security zone and then:

                       

                      change the destination policy class to "OOB" for backend and "BACKEND" for OOB

                      and also click "stateless processing"

                       

                      Thanks.

                        • Re: adtran 1335 fw config help
                          johnbadtran New Member

                          OK thanks - i made these changes. The following messages have stopped displaying on the console:

                           

                          2012.02.20 12:03:40 FIREWALL id=firewall time="2012-02-20 12:03:40" fw=rtr-oob-sfx1 pri=1 proto=64376/tcp src=10.10.202.24 dst=10.10.200.192 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x10 Src 443 Dst 64376 from OOB policy-class on interface vlan 90" agent=AdFirewall

                           

                          I assume adding the stateless option is the reason why?

                           

                          -John.

                    • Re: adtran 1335 fw config help
                      levi Employee

                      johnbadtran:

                       

                      I went ahead and marked this post as "assumed answered".  Feel free to mark any correct or helpful answers from this post.  If you still need assistance with this issue I would be more than happy to help, just let me know in a reply.

                       

                      Levi

                      • Re: adtran 1335 fw config help
                        levi Employee

                        johnbadtran:

                         

                        I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                         

                        Thanks,

                         

                        Levi