Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 288 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS log - Error reading session data / failed to get sessiontbl data for session id

Markus Ottmann1

Hi community,

we found many of the following entries in the /log/ips.log without facing any service interruptions or performance issues.

XG450_WP02_SFOS 18.0.5 MR-5-Build586# tail /log/ips.log
[Sep 03 08:49:53 :25629]:Error reading session data,status -1
[Sep 03 08:49:53 :25629]:failed to get sessiontbl data for session id 1842 rev 34571 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet
[Sep 03 08:49:53 :25629]:Error reading session data,status -1
[Sep 03 08:49:53 :25629]:failed to get sessiontbl data for session id 1842 rev 34571 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet
[Sep 03 08:49:54 :25625]:Error reading session data,status -1
[Sep 03 08:49:54 :25625]:failed to get sessiontbl data for session id 1852 rev 41991 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet
[Sep 03 08:49:54 :25625]:Error reading session data,status -1
[Sep 03 08:49:54 :25625]:failed to get sessiontbl data for session id 1852 rev 41991 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet
[Sep 03 08:49:54 :25625]:Error reading session data,status -1
[Sep 03 08:49:54 :25625]:failed to get sessiontbl data for session id 1852 rev 41991 pkt_len 0 datalink_type 228 direction 0 daq_source 2 is_tcp 0 nseid 0 is_ssl_non_app_appdata 0, dropping packet

Is this a normal or expected behavior?

Does anyone have an explanation for this?

Thanks in advance.

Markus



This thread was automatically locked due to age.
Parents
  • 0

    Hello Markus,

    Thank you for contacting the Sophos Community.

    A case for this was opened a while ago, DEV team mentioned these errors can be ignored.

    It has to do, with RST packets after receiving FIN from the server. Basically, it’s a timeout on the NSE because it doesn't take action on the packets since there’s already a FIN in both directions. 

    Regards,

Reply
  • 0

    Hello Markus,

    Thank you for contacting the Sophos Community.

    A case for this was opened a while ago, DEV team mentioned these errors can be ignored.

    It has to do, with RST packets after receiving FIN from the server. Basically, it’s a timeout on the NSE because it doesn't take action on the packets since there’s already a FIN in both directions. 

    Regards,

Children
No Data