Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 166952 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local ACL/Invalid Traffic

ShawnLucas

Hey all,

Has anyone discovered a way to determine what, specifically, the firewall is talking about when it denies traffic based on a "Local ACL" or "Invalid Traffic?"

I'm struggling getting a CIFS client to communicate (getting host down messages) when all other devices on the network are using this share just fine.  (It worked before I switched to this firewall as well, so I know it's something in here)  I'm having trouble locating the reason why it'd be dropping this traffic.

Thanks for any assistance you can provide!

:)



This thread was automatically locked due to age.
Parents
  • 0

    Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.

    To pull out a proper log:

    1. Access CLI of the firewall and select Option 4- Device Console
    2. Execute the following command " console> drop-packet-capture "host x.x.x.x or host y.y.y.y"
    A host can be a source or destination to filter dropped traffic for a particular connection. Normal gates are supported for each of the syntax such as AND/OR/NOT
    3. For a broadcast drop, you will get logs as follows:

    2015-12-22 03:27:06 0103021 IP 172.16.16.17.137 > 172.16.16.255.137 : proto UDP: packet len: 58 checksum : 17827
    0x0000: 4500 004e 4958 0000 8011 7816 ac10 1011 E..NIX....x.....
    0x0010: ac10 10ff 0089 0089 003a 45a3 fe25 0110 .........:E..%..
    0x0020: 0001 0000 0000 0000 2046 4846 4145 4245 .........FHFAEBE
    0x0030: 4543 4143 4143 4143 4143 4143 4143 4143 ECACACACACACACAC
    0x0040: 4143 4143 4143 4141 4100 0020 0001 ACACACAAA.....
    Date=2015-12-22 Time=03:27:06 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=1 outzone_id=4 source_mac=3c:97:0e:53:7b:e0 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=172.16.16.17 dest_ip=172.16.16.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=3736931136 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Hope this helps.

  • 0 in reply to AmitSharma

    AmitSharma said:

    Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.


    Ok I managed to get something like this:

    2015-12-22 10:31:51 0102021 IP 192.168.2.21.51943 > 54.192.228.32.443 : proto TCP: F 3583992649:3583
    992649(0) win 4096 checksum : 45919                                                                 
    0x0000:  4500 0034 f9f5 4000 4006 6330 c0a8 0215  E..4..@.@.c0....                                  
    0x0010:  36c0 e420 cae7 01bb d59f 6349 035f f661  6.........cI._.a                                  
    0x0020:  8011 1000 b35f 0000 0101 080a 3d56 f5d9  ....._......=V..                                  
    0x0030:  8178 21c9                                .x!.                                              
    Date=2015-12-22 Time=10:31:51 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
    type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
    _id=0 source_mac=c8:2a:14:48:d4:6e dest_mac=fc:aa:14:9a:40:e5 l3_protocol=IP source_ip=192.168.2.21 
    dest_ip=54.192.228.32 l4_protocol=TCP source_port=51943 dest_port=443 fw_rule_id=0 policytype=0 live
    _userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_
    id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=4135489070035894272 dn_class
    id=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_byte
    s=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes
    =N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    What's wrong with the following packet ? Any idea?

    I have marked non obvious and not zero properties.

  • 0 in reply to AmitSharma
    Oh, BTW: Do you know if this diagnostic method may be used for webfilter related issues ?
  • 0 in reply to Slawski
    Yes, it will Destination IP filtering in Connection List with a combination of Log Viewer> Web Filtering for that domain to find if a website is being allowed or not.
  • 0 in reply to Slawski
    I have done some testing and found something interesting. My setup is a XG with a AP55c. Since I am setting this up, I have an Any/Any rule with all app control and IPS turned off. My AP has 4 SSIDs all set to "Separate Zones", my device is on one of those SSIDs. When it tries to connect to the internet I see those denied by policy_id:0 message in the logs. I changed one of the SSIDs to be on the AP LAN, connected up and now it works fine, no denies. Not sure what's the difference, since they are both just subnets on the internal LAN.
  • 0 in reply to Slawski
    2015-12-24 09:18:13 0102021 IP 10.XXX.XX.XXX.64491 > 10.252.XX.XXX.443 : proto TCP: R 4150585369:4150585369(0) checksum : 39074
    0x0000: 4500 0028 6523 4000 8006 ed0f 0a8e 42a5 E..(e#@.......B.
    0x0010: 0afc 506e fbeb 01bb f764 e819 46e3 4a88 ..Pn.....d..F.J.
    0x0020: 5014 0000 98a2 0000 P.......
    Date=2015-12-24 Time=09:18:13 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=00:50:56:ba:44:33 dest_mac=00:50:56:91:20:6d l3_protocol=IP source_ip=10.XXX.XX.XXX dest_ip=10.252.XX.XXX l4_protocol=TCP source_port=64491 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=4051094740785954816 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/Acommunity.sophos.com/.../XXXXX sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    This is the log output. The traffic is dropped as "invalid traffic".

    I can't find entrys with this ip in the connection list.
  • 0 in reply to DanSand
    Well, so you have answered your question. No connection - packets dropped.
  • 0 in reply to Slawski
    Same thing here. my game is trying to update and its failing. there WAS some connection at the start then is times out and fails...

    2015-12-27 13:05:50 0102021 IP 10.1.1.5.59946 > 66.151.133.50.443 : proto TCP: F 2729573040:2729573040(0) win 1021 checksum : 1203
    0x0000: 4500 0028 37bb 0000 8006 3046 0a01 0105 E..(7.....0F....
    0x0010: 4297 8532 ea2a 01bb a2b1 fab0 b23a 98d1 B..2.*.......:..
    0x0020: 5011 03fd 04b3 0000 P.......
    Date=2015-12-27 Time=13:05:50 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=00:01:2e:5a:79:c6 dest_mac=00:01:2e:4e:1a:4b l3_protocol=IP source_ip=10.1.1.5 dest_ip=66.151.133.50 l4_protocol=TCP source_port=59946 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3559031422993825792 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • 0 in reply to DavePackham
    When I connect to my work VPN my download works. Something the XG is doing.
  • 0 in reply to DavePackham
    I'm not sure if you have posted the right log entry.

    First of all, I get those "invalid traffic" messages even when the IPS and WebFilter are off and the existence of those entries do not interfere with games downloading and updating. Especially if they appear for fw_rule_id=0.

    There is a different situation - when the webfilter / ips is ON. Haven't got time to analyse this yet because of Christmas etc.
  • 0 in reply to Slawski
    No problem. Those IP addresses are the inside Client trying to download the game updates and the external IP is the game host company so I thought they were related. Whatever info you need when the holidays is over I can reproduce for ya
  • 0 in reply to Slawski
    Why is there no connection ? I think the Sophos XG Firewall blocks the connection, but why ?
Reply Children
No Data