Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 166952 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local ACL/Invalid Traffic

ShawnLucas

Hey all,

Has anyone discovered a way to determine what, specifically, the firewall is talking about when it denies traffic based on a "Local ACL" or "Invalid Traffic?"

I'm struggling getting a CIFS client to communicate (getting host down messages) when all other devices on the network are using this share just fine.  (It worked before I switched to this firewall as well, so I know it's something in here)  I'm having trouble locating the reason why it'd be dropping this traffic.

Thanks for any assistance you can provide!

:)



This thread was automatically locked due to age.
Parents
  • 0

    Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.

    To pull out a proper log:

    1. Access CLI of the firewall and select Option 4- Device Console
    2. Execute the following command " console> drop-packet-capture "host x.x.x.x or host y.y.y.y"
    A host can be a source or destination to filter dropped traffic for a particular connection. Normal gates are supported for each of the syntax such as AND/OR/NOT
    3. For a broadcast drop, you will get logs as follows:

    2015-12-22 03:27:06 0103021 IP 172.16.16.17.137 > 172.16.16.255.137 : proto UDP: packet len: 58 checksum : 17827
    0x0000: 4500 004e 4958 0000 8011 7816 ac10 1011 E..NIX....x.....
    0x0010: ac10 10ff 0089 0089 003a 45a3 fe25 0110 .........:E..%..
    0x0020: 0001 0000 0000 0000 2046 4846 4145 4245 .........FHFAEBE
    0x0030: 4543 4143 4143 4143 4143 4143 4143 4143 ECACACACACACACAC
    0x0040: 4143 4143 4143 4141 4100 0020 0001 ACACACAAA.....
    Date=2015-12-22 Time=03:27:06 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=1 outzone_id=4 source_mac=3c:97:0e:53:7b:e0 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=172.16.16.17 dest_ip=172.16.16.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=3736931136 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Hope this helps.

  • 0 in reply to AmitSharma

    AmitSharma said:

    Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.


    Ok I managed to get something like this:

    2015-12-22 10:31:51 0102021 IP 192.168.2.21.51943 > 54.192.228.32.443 : proto TCP: F 3583992649:3583
    992649(0) win 4096 checksum : 45919                                                                 
    0x0000:  4500 0034 f9f5 4000 4006 6330 c0a8 0215  E..4..@.@.c0....                                  
    0x0010:  36c0 e420 cae7 01bb d59f 6349 035f f661  6.........cI._.a                                  
    0x0020:  8011 1000 b35f 0000 0101 080a 3d56 f5d9  ....._......=V..                                  
    0x0030:  8178 21c9                                .x!.                                              
    Date=2015-12-22 Time=10:31:51 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
    type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
    _id=0 source_mac=c8:2a:14:48:d4:6e dest_mac=fc:aa:14:9a:40:e5 l3_protocol=IP source_ip=192.168.2.21 
    dest_ip=54.192.228.32 l4_protocol=TCP source_port=51943 dest_port=443 fw_rule_id=0 policytype=0 live
    _userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_
    id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=4135489070035894272 dn_class
    id=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_byte
    s=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes
    =N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    What's wrong with the following packet ? Any idea?

    I have marked non obvious and not zero properties.

  • 0 in reply to Slawski
    Hello all,

    we have the same problem. Some http (80) and https (443) traffic is blocked by the default rule (ID:0). The reason is invalid traffic.

    Where we can see the default policie ?
  • 0 in reply to DanSand
    Could you please post "drop-packet-capture" as I did? I used filter "src host 192.168.2.21 and dst port 443". I'm curious what would be log_id and up_classid in your case.
  • 0 in reply to Slawski

    Most likely stateful table of the firewall does not expect an [F] finish flag coming from source 192.168.2.21 or connection entry does not exist for the this connection. You can see the entire list of connections served on the firewall from System> Diagnostics> Connection List and search(Display Filter) for source or destination host, you can check more parameters for a connection served by selecting show additional properties.

    Log_ID is unique code to summarize Log Type, Log Component, Log Subtype, Log Priority and Message Id. The second one looks like upload connection identifier for Bandwidth Management.

    There will be a knowledge base article created to understand IDs in detail.

    Hope this helps.

  • 0 in reply to AmitSharma

    Thanks, that move us forward quite a bit, but ...

    AmitSharma said:

    Most likely stateful table of the firewall does not expect an [F] finish flag coming from source 192.168.2.21 or connection entry does not exist for the this connection. You can see the entire list of connections served on the firewall from System> Diagnostics> Connection List and search(Display Filter) for source or destination host, you can check more parameters for a connection served by selecting show additional properties.

    Log_ID is unique code to summarize Log Type, Log Component, Log Subtype, Log Priority and Message Id. The second one looks like upload connection identifier for Bandwidth Management.

    There will be a knowledge base article created to understand IDs in detail.

    It would be really nice if there would be a real reason written somewhere... "Most likely" is good, but not the best.

  • 0 in reply to AmitSharma
    Oh, BTW: Do you know if this diagnostic method may be used for webfilter related issues ?
  • 0 in reply to Slawski
    Yes, it will Destination IP filtering in Connection List with a combination of Log Viewer> Web Filtering for that domain to find if a website is being allowed or not.
Reply Children
No Data