Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 800 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG450 UTM 9.705-3 afcd[]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000

Samuel Heinrich

As soon as we turn on ATP on a SG450 A/S Cluster running UTM 9.705-3, the afc.log gets massively spammed with the following message:

2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000

thus the log file files up pretty fast, here is a 30sec snapshot


SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 819K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 852K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 900K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 942K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 970K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 991K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 1.1M May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 1.1M May 5 15:49 afc.log

ATP mode is set to "Alert"

what are these messages?

how can we avoid the log from getting filled?



This thread was automatically locked due to age.
  • FormerMember
    FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Do you see any core dumps on your firewall? Check core dumps with the following commands. 

    • cd /var/storage/cores
    • ls -larth 

    Is there any pattern update that is pending on your firewall? Go to the Management > Up2Date > Pattern.

    Thanks,

  • in reply to FormerMember

    Patterns are up2date.

    there are no core logfiles

    ictrz-fw-01:/home/login # cd /var/storage/cores/
    ictrz-fw-01:/var/storage/cores # ls -larth
    total 8.0K
    drwx------ 2 root root 4.0K Jul 13 2020 .
    drwxr-xr-x 13 root root 4.0K Nov 26 12:00 ..
    ictrz-fw-01:/var/storage/cores #

    As I understand regarding this thread:

    https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46303/packet-already-has-afc-mark-value/168453

    AFC mark values refer to an Application.

    We neither use Application Control, nor has the firewall webfilter turned on.  I assume ATP uses AFC for some sort of DPI. 

     

    I'm currently trying to investigate, which application those HEX Values belong to:

    (0x0000116a), replacing with 0x00001000

    Looking at this KB article:

    support.sophos.com/.../KB-000034657

    it should be possible to identify them via /var/chroot-afc/etc/afc/plugin.conf, unfortunately this is quite confusing. 

    ictrz-fw-01:/var/storage # cat /var/chroot-afc/etc/afc/plugin.conf | grep 116
    BAIDUHI = 1116
    DEOS = 116
    QUAKELIV = 1160
    RENREN = 1161
    SCCP = 1162
    SHAREMAN = 1163
    SHRPNTOL = 1164
    SILVERLT = 1165
    SITESCOT = 1166
    ictrz-fw-01:/var/storage # cat /var/chroot-afc/etc/afc/plugin.conf | grep 1000
    REDIFF = 1000

    any ideas?

  • FormerMember
    FormerMember in reply to Samuel Heinrich

    Hi ,

    Thanks for the update. I wasn't able to find any reference to these log entries. 

    I'd request you to open a support case as a question to get this investigated further. 

    Thanks,

Unfiltered HTML