3 Replies Latest reply on Feb 18, 2013 1:06 PM by noor

    Can someone please define the following

    asteriskuser New Member

        We recently configured our Netvanta 3200 as follows:

       

       

      1. Removed IPUnnumbered
      2. Turned on the firewall
      3. Enabled DHCP and defined pools and rages

              

      Since then, we’ve noticed three reoccurring log entries which we were hoping you could help us understand.  The one that has us most puzzled is the “Connection timed out” entry  which seems to occure about every 15 minutes, but not exactly.  The other two happen less frequently.  We’d like to know what they mean and what is causing them:

       

      2012.02.24 10:38:17 FIREWALL id=firewall time="2012-02-24 10:38:17" fw=Adtran3200 pri=6 rule=1 proto=42834/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Service access request successful  ICMP Type: 8 Code: 0 from default policy-class on interface fr 1.500" agent=AdFirewall

       

       

      2012.02.24 11:40:49 FIREWALL id=firewall time="2012-02-24 11:40:49" fw=Adtran3200 pri=6 rule=1 proto=15714/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Connection timed out.Bytes transferred : 112 from default policy-class on interface fr 1.500" agent=AdFirewall

       

       

      2012.02.24 11:02:25 FIREWALL id=firewall time="2012-02-24 11:02:25" fw=Adtran3200 pri=6 rule=1  proto=https src=xxx.xxx.113.83 dst=xxx.xxx.134.158 msg="Connection closed.Bytes transferred : 3326 Src 51522 Dst 443 from default policy-class on interface fr 1.500" agent=AdFirewall

         

       

      Your help is greatly appreciated!

        • Re: Can someone please define the following
          evanh Employee

          Asteriskuser,

           

          Firewall messages are displayed any time an Adtran router drops a packet or a special firewall event occurs.  These will pop up in any situations as there are common mis-configurations on user units that can cause malformed packets that our firewall will get rid off.  It will obviously also drop packets it feels are malicious.

           

          The first message is an ICMP message of type 8 which is an echo reply.  The firewall is simply stating here that it recieved an echo reply from something that it didn't see an echo request from.  This is a common message.

           

          The second is a "connection timeout message" which will happen when a session is dropped for some reason or becomes idle for too long.  This, since it shows protocol ICMP, could have been a ping that was sent out opening a session, the response never came, and so the firewall shut down the session so that an illegitimate packet could not be matched to it.

           

          The third message is a "connection closed" message.  This will have when the firewall closes a session on its own.  It can do this for many reasons, being it feels that the session is done, neither side is responding anymore, or something in the session like source and destination IPs don't match.

           

          These are all common messages and I would not be concerned with them unless you are actually having network problems, or the same IPs frequently show up in messages.  If they do, you may want to check those devices for possible security breaches.

           

          Thanks,

          Evan

          Adtran TSE

          • Re: Can someone please define the following
            levi Employee

            asteriskuser:

             

            I went ahead and marked this post as "assumed answered".  Feel free to mark any correct or helpful answers from this post.  If you still need assistance with this issue I would be more than happy to help, just let me know in a reply.

             

            Levi

              • Re: Can someone please define the following
                Employee

                I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                 

                Thanks,

                Noor