Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 28 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 79599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid TCP RST

StuartMitchell

Hi there!

Okay, usually I can work through any errors I find, but this one's got me completely stumped. I've read through the forums, but can't find any solutions to my issue.

Quick setup explanation:

XG Firmware = SFOS 17.0.5 MR-5
LAN Subnet = 10.10.10.0/24
WAN IP Address = 192.168.200.200/24
WAN Gateway = 192.168.200.254

The internet works fine (for the most part), but in the firewall logs, I see these:

As you can see, it's being Denied by Firewall Rule #2, which makes absolutely no sense to me as this is Rule #2:

The Staff LAN network definition is 10.10.10.0/24
The AFT Microwave is their primary connection, and the 4G Dongle is a fail-over (currently not active)
The AFT hardware is forwarding all ports through to the XG to allow us to manage port forwarding, etc (or so we were told)

I have two questions:

1. Why am I getting these errors

2. Why is this rule even denying this traffic? There's nothing in the rule that should be applying to traffic trying to go from the XG's WAN interface (192.168.200.200/24) to an external IP address.

Thanks in advance!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to StuartMitchell

    Hi,

     

    we tried to summarize some information in a KBA: https://community.sophos.com/kb/en-us/131754

     

    Cheers

     

     

  • 0 in reply to LuCar Toni

    What would be the implication of just turning the logging for this off like it was pre-v16?  

  • 0 in reply to Bill Roland

    Hi Bill,

    the trouble is once the cat is out of the bag it is hard to put back. I see my mac book pro is trying and failing to talk to a microsoft site and I do not understand why?

    I do not have an MS products active on my MBP, the only application it MS RDP so why so many failed connections? I did turn the feature off, but that still did not help with the issue raised as per the log entries.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

     

    in my point of view: The clients already "talked" to the server. 

    The KBA is to explain, why this drops happen. But the Communication already happen. 

    Like mention in the KBA, you are able to deactivate the Invalid Traffic drops. 

     

    Ian would recommend you to check your reports regarding the IP from Microsoft. There should be couple of kb/mb/gb transferred to this server. 

     

    Cheers

     

     

     

  • 0 in reply to LuCar Toni

    Hi,

    as far as I can tell and I have explored the reports extensively there is no way to tie a user to a download or download site. The reports show total download for that site/url and total download for a user and the two totals are unrelated. If you think I am wrong please point me at the correct report?

    Ian

    Update:- a lot more poking of various screen entries and I found the information, 78KB.

  • 0 in reply to rfcat_vk

    same problem here.

     

    This situation appears with a " big" download within the 2 minutes...

     

    So conntrack seems to be not responsible of this.

     

    Firmware : SFV2C4 (SFOS 17.0.3 MR-3)

    With different APACHE source for download, this seems to have not the same behaviour.

     

    Will try with the newest firmware.

  • 0 in reply to LuCar Toni

    This is a big issue.  I have a remote VMWARE 6.5 setup that I have connected through VPN with no NAT being used.  I can not upload to the Datastores.  I can get on a workstation local to the network and everything works but nothing through the VPN connection.  I started looking through the Firewall and I see a bunch on Denies with this error message on my VPN rule.  This is a bigger problem.

  • 0 in reply to John Loy

    Hi,

    you have another issue. Please open a thread in our comunity with all information. 

    The invalid TCP RST pakets is just a drop - the client already sent a RST to the server. So the Interrupt already happened. 

  • 0 in reply to LuCar Toni

    I got this morning these alerts, TCP RST, for a software that sync. My analysis is this is true the communication is done between the client and the server, I can see on the server sync appear, but this is true also the user client gets many messages of errors as such : you cannot authenticate with these credentials. Obviously those credentials are good. So if the interrupt already happened and is done the message seems to continue and panicked the user.

  • 0 in reply to NausicaMedia

    But seems not to be related to the issue isn´t it? 

    Currently - to be honest - i never could observe an issue related to Invalid TCP RST. This alerts are just indicators for an other issue.