Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 897 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Massive "invalid traffic/invalid tcp state" with 19.5 and HA

Christian Sievers

After update to 19.5 the "invalid traffic" increases massive. It only shows when HA is up.

When i shut down one node, the "invalid traffic" disappeared. I see this issue on two customers.

Both had HA with 19.0MR1 and a update to 19.5GA.

Dissolving and reestableshing HA does not help.

Now i tried dissolve HA and reimage the auxillary with 19.0MR1, update to 19.5GA and reestablish HA. This seems to help.

Did anyone have similar observations?

Greetings.

Christian



This thread was automatically locked due to age.
Parents
  • 0

    Hi Christian,

    Thank you for reaching out to Sophos Community.

    For reference with regard to  Invalid Traffic, kindly see Recommended Read below. 

    soph.so/SophosFirewall_InvalidTraffic

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    I know this document. But it does not explain that the issue disappears when one node is shut down.

    The first system with the issue was seperating several LAN-Segments and after update to 19.5 the clients lost the connection to several servers. Only after disabling stateful inspection on the cli for the internal LANs the problem diappeared. Thats cause the sophos support always pointing to asymmetric routing, which was not the cause for the problem. The routing is simple and tcpdump shows only the 2 IPs and MACs when a client communicate to his server.

    Now i got another ha-system (still non-productiv) with this issue and have the opportunity to do some testing with.

    I see 20-40 invalid tcp state per second on a system without any traffic for routing, only normal system traffic from the firewall itself.

    Something must be wrong with conntrack after going to ha mode.

Reply
  • 0 in reply to Erick Jan

    I know this document. But it does not explain that the issue disappears when one node is shut down.

    The first system with the issue was seperating several LAN-Segments and after update to 19.5 the clients lost the connection to several servers. Only after disabling stateful inspection on the cli for the internal LANs the problem diappeared. Thats cause the sophos support always pointing to asymmetric routing, which was not the cause for the problem. The routing is simple and tcpdump shows only the 2 IPs and MACs when a client communicate to his server.

    Now i got another ha-system (still non-productiv) with this issue and have the opportunity to do some testing with.

    I see 20-40 invalid tcp state per second on a system without any traffic for routing, only normal system traffic from the firewall itself.

    Something must be wrong with conntrack after going to ha mode.

Children
Unfiltered HTML