This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG450 UTM 9.705-3 afcd[]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000

As soon as we turn on ATP on a SG450 A/S Cluster running UTM 9.705-3, the afc.log gets massively spammed with the following message:

2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000
2021:05:05-15:49:22 SG450 afcd[21729]: WARNING! packet already has AFC mark value (0x0000116a), replacing with 0x00001000

thus the log file files up pretty fast, here is a 30sec snapshot

SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 819K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 852K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 900K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 942K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 970K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 991K May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 1.1M May 5 15:49 afc.log
SG450:/var/log # ls -lha | grep afc.log
-rw-r--r-- 1 root log 1.1M May 5 15:49 afc.log

ATP mode is set to "Alert"

what are these messages?

how can we avoid the log from getting filled?

This thread was automatically locked due to age.

Parents

FormerMember over 3 years ago
Hi Samuel Heinrich,

Thank you for reaching out to the Community!

Do you see any core dumps on your firewall? Check core dumps with the following commands.

cd /var/storage/cores

ls -larth

Is there any pattern update that is pending on your firewall? Go to the Management > Up2Date > Pattern.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

FormerMember over 3 years ago
Hi Samuel Heinrich,

Thank you for reaching out to the Community!

Do you see any core dumps on your firewall? Check core dumps with the following commands.

cd /var/storage/cores

ls -larth

Is there any pattern update that is pending on your firewall? Go to the Management > Up2Date > Pattern.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Children

Samuel Heinrich over 3 years ago in reply to FormerMember

Patterns are up2date.

there are no core logfiles

ictrz-fw-01:/home/login # cd /var/storage/cores/
ictrz-fw-01:/var/storage/cores # ls -larth
total 8.0K
drwx------ 2 root root 4.0K Jul 13 2020 .
drwxr-xr-x 13 root root 4.0K Nov 26 12:00 ..
ictrz-fw-01:/var/storage/cores #

As I understand regarding this thread:

https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/46303/packet-already-has-afc-mark-value/168453

AFC mark values refer to an Application.

We neither use Application Control, nor has the firewall webfilter turned on. I assume ATP uses AFC for some sort of DPI.

I'm currently trying to investigate, which application those HEX Values belong to:

(0x0000116a), replacing with 0x00001000

Looking at this KB article:

support.sophos.com/.../KB-000034657

it should be possible to identify them via /var/chroot-afc/etc/afc/plugin.conf, unfortunately this is quite confusing.

ictrz-fw-01:/var/storage # cat /var/chroot-afc/etc/afc/plugin.conf | grep 116
BAIDUHI = 1116
DEOS = 116
QUAKELIV = 1160
RENREN = 1161
SCCP = 1162
SHAREMAN = 1163
SHRPNTOL = 1164
SILVERLT = 1165
SITESCOT = 1166
ictrz-fw-01:/var/storage # cat /var/chroot-afc/etc/afc/plugin.conf | grep 1000
REDIFF = 1000

any ideas?
Cancel
Vote Up 0 Vote Down

Cancel
FormerMember over 3 years ago in reply to Samuel Heinrich

Hi Samuel Heinrich,

Thanks for the update. I wasn't able to find any reference to these log entries.

I'd request you to open a support case as a question to get this investigated further.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel