Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 1686 views
  • Users 0 members are here
Options
Suggested

[9.191][DUPE] Strict Tcp session disconnect issues

Knome
having some Strict Tcp session connection issues

Strict Tcp session  cause vpn disconnect issues
Strict Tcp session  cause Final Fantasy disconnect issues

you can connect but then after about 2 minutes or less you get Strict Tcp session in the logs and you session is disconnected.

here are some logs.


03:42:35  Suspicious TCP state  TCP     INTERNAL ADDRESS  :  63120
?  198.107.129.100  :  80          [ACK FIN]  len=40  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca

03:42:48  Suspicious TCP state  TCP     INTERNAL ADDRESS  :  63048
?  199.91.189.21  :  55024    [ACK]  len=52  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca

03:42:48  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048
?  199.91.189.21  :  55024    [ACK]  len=64  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca

03:42:49  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024    [ACK PSH]  len=148  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca

03:42:49  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK]  len=64  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:51  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK PSH]  len=148  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:52  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK]  len=64  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:52  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63126

198.107.129.100  :  443
  
[ACK PSH FIN]  len=79  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:54  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK PSH]  len=148  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:57  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63047

199.91.189.21  :  55024
  
[ACK PSH]  len=116  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:58  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK PSH]  len=232  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:42:58  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63047

199.91.189.21  :  55024
  
[ACK PSH]  len=116  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:00  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK PSH]  len=412  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:00  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63047

199.91.189.21  :  55024
  
[ACK PSH]  len=116  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:04  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63047

199.91.189.21  :  55024
  
[ACK PSH]  len=116  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:07  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK]  len=40  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:07  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK]  len=52  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:09  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK]  len=52  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:09  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK]  len=204  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:11  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK]  len=52  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:11  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63048

199.91.189.21  :  55024
  
[ACK]  len=552  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:12  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63047

199.91.189.21  :  55024
  
[ACK PSH]  len=180  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:16  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK]  len=52  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:21  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK PSH]  len=66  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:22  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK PSH]  len=66  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:23  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63120

198.107.129.100  :  80
  
[ACK FIN]  len=40  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca


03:43:25  Suspicious TCP state  TCP    
INTERNAL ADDRESS  :  63125

198.107.130.128  :  5223
  
[ACK PSH]  len=66  ttl=63  tos=0x00  srcmac=9:00:80:f0:00:7f  dstmac=6:0:c5:60:fc:ca
  • 0
    Hi,

    1. please post your exact version #

    2. please post lines from the FULL LOG, not the live log, and surround them with CODE tags.

    Barry
  • 0
    Hi Knome,

    sorry, but I'm not an expert in this topic. But maybe with some more information the developer get an idea what happened here.

    Does this work for you before you start with the beta?
    Go the VPN through the UTM or terminate the VPN at the UTM?
    Which kind of VPN do you use?

    Best,
    Kofi
  • 0
    Barry sorry  that post was for 9.2 beta  made a big bla and posted in wrong forum no wonder i could not find it in beta [:)] sorry.

    version # utm 9.191-2

    the log above is for F F 
    when i connect to the FF servers
  • 0
    Full log  for FF

    (2013:12:31-11:44:14 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.131.128" proto="6" length="214" tos="0x00" prec="0x00" ttl="63" srcport="54636" dstport="5223" tcpflags="ACK PSH FIN" )

    (2013:12:31-11:44:17 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.131.100" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="54634" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:19 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="72.247.10.8" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54616" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:19 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="72.247.10.8" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54615" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:19 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="72.247.10.8" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54614" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:21 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.130.128" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54567" dstport="5223" tcpflags="ACK" )

    (2013:12:31-11:44:27 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.130.128" proto="6" length="66" tos="0x00" prec="0x00" ttl="63" srcport="54567" dstport="5223" tcpflags="ACK PSH" )

    (2013:12:31-11:44:37 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="23.66.211.49" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54597" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:41 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.130.128" proto="6" length="78" tos="0x00" prec="0x00" ttl="63" srcport="54567" dstport="5223" tcpflags="ACK PSH" )

    (2013:12:31-11:44:47 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.131.100" proto="6" length="67" tos="0x00" prec="0x00" ttl="63" srcport="54637" dstport="443" tcpflags="ACK PSH FIN" )

    (2013:12:31-11:44:47 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.131.100" proto="6" length="40" tos="0x00" prec="0x00" ttl="63" srcport="54633" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:48 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="124.150.158.117" proto="6" length="69" tos="0x00" prec="0x00" ttl="63" srcport="54593" dstport="443" tcpflags="ACK PSH FIN" )

    (2013:12:31-11:44:48 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="124.150.158.117" proto="6" length="69" tos="0x00" prec="0x00" ttl="63" srcport="54571" dstport="443" tcpflags="ACK PSH FIN" )

    (2013:12:31-11:44:48 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="184.29.104.227" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54598" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:48 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.128.101" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54632" dstport="80" tcpflags="ACK FIN") 

    (2013:12:31-11:44:50 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="72.247.10.8" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="54625" dstport="80" tcpflags="ACK FIN" )

    (2013:12:31-11:44:59 windgear ulogd[32017]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth3.115" outitf="eth1" srcmac="9:00:80:f0:00:7f" dstmac="6:0:c5:60:fc:ca" srcip="INTERNAL ADDRESS" dstip="198.107.130.128" proto="6" length="92" tos="0x00" prec="0x00" ttl="63" srcport="54567" dstport="5223" tcpflags="ACK PSH" )
  • 0
    mod2402 good to know that i am not the only one having this issue hope it's fix soon.
  • 0 in reply to Knome
    Hi Knome,

    Created a Mantis which deals with this issue. It is attached in the post mentioned by mod.

    Thanks all for testing and Happy New Year [:)]

    Best,
    Bianca
Unfiltered HTML