Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 11526 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Traffic - Invalid TCP State - Static Route to Layer 3 Switch

Tony Shaw

Hello, 

I'm going round in circles online looking for a solution to this.  We have a new XG 210 firewall and I'm struggling to get it to route certain traffic via a layer 3 switch.

Devices on the network have their gateways set to be an interface on the XG.  If the device needs to contact something on a separate VLAN it sends the request to the XG which has a static route setup to forward the requests to a layer 3 switch which can route between the vlans.   I can ping all the devices on the vlan ok but their web interfaces do not load.   When I look in the XG's logs I can see the below "invalid traffic" packets being denied.   

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="" out_interface="" src_mac="" src_ip="192.168.25.14" src_country="" dst_ip="192.168.26.111" dst_country="" protocol="TCP" src_port="58768" dst_port="80" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"

Any Help Appreciated.  Thanks in advance.

Mark



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mark,

     

    If you are using a layer 3 switch, the devices should have their gateways set to an RVI on the switch itself, not the XG. The switch should be doing the interVLAN routing, not the XG.

     

    The static routes will need to stay in the XG but that is just for traffic that passes through it, like going to the internet. They will point to the RVI of that VLAN.

     

    Using a layer 3 switch, you should be able to route interVLAN traffic without the XG even being hooked up.

     

    Hope this helps,

    Mike

  • 0 in reply to MichaelBolton

    Hi Mike,

     

    Thanks for getting back to me.   Interesting that you should say that.  I was coming to that conclusion myself.   I picked up the network from someone else at the time when there was a sonic wall in place.   When I put the XG in I configured it with the same configuration.  Generally everything is working fine.   

     

    I'll have a look at the switch config asap.  Thanks for your help.

     

    Mark

  • 0 in reply to Tony Shaw

    Hi,

    Before enabling routing in your switch you need to review why you enabled VLANs in the first place?

    Was it to isolate different user segments, was it to provide some form of security for some devices?

    Ian

Reply Children
No Data