Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 13622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

nf_ct_tcp: invalid RST / Use strict TCP session handling / RDP

Mokaz

Hi all,

Since I've updated my UTM to 9.401-11 i'm seeing such inputs in my log files:

/var/log/packetfilter/2016/04/packetfilter-2016-04-17.log.gz:2016:04:17-18:45:34 UTMNAME ulogd[19007]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="0" srcip="SOURCEIP " dstip="DSTIP " proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="2571" dstport="3389" tcpflags="RST" info="nf_ct_tcp: invalid RST "

/var/log/packetfilter/2016/04/packetfilter-2016-04-17.log.gz:2016:04:17-18:45:34 UTMNAME ulogd[19007]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" initf="eth1" outitf="eth2" srcmac="SRCMAC" dstmac="DSTMAC" srcip="SOURCEIP " dstip="DSTIP " proto="6" length="40" tos="0x00" prec="0x00" ttl="127" srcport="2571" dstport="3389" tcpflags="RST

This is actually dropping my RDP session for a few seconds. I think it's related to the "Use strict TCP session handling" firewall parameter which I've set to ENABLED. It seems that disabling and re enabling the Use strict TCP session handling parameter helps for some time but does not correct the issue.

Any help would be appreciated.
Thanks,
m.

EDIT: Firewall live log logs the followings: 
Suspicious TCP state - TCP

EDIT2: I've tested now with a new service definition for RDP this using TCP&UDP port 3389 (instead of TCP only). Issues seems gone now. Would anyone have some links about the Microsoft latest RDP protocol tech specs as well as if it's advised to used both TCP & UDP for RDP ?



This thread was automatically locked due to age.
  • 0

    Hi Mokaz,

    Greetings.

    The TCP protocol uses checksums to ensure that communication is reliable. A checksum is added to every transmitted segment and it is checked at the receiving end. When a checksum differs from the checksum expected by the receiving host, the packet is dropped at the receiver´s end. Hence Strict TCP session handling drops the invalid RST packet.

    Use strict TCP session handling: By default, the system can "pick up" existing TCP connections that are not currently handled in the connection tracking table due to a network facility reset. This means that interactive sessions such as SSHClosed and Telnet will not quit when a network interface is temporarily unavailable. Once this option is enabled, a new three-way handshake will always be necessary to re-establish such sessions. Additionally, this option does not allow the TCP connection methods simultaneous open or TCP split handshakes.

    It is generally recommended to leave this option turned off.

    Microsoft RDP uses both TCP port 3389 & UDP port 3389. Hence, using both the port services is mandatory.

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    Hey Sachin,

    Thanks a lot for your detailed answer =) great read.. What i did found "strange" if you pass me the expression, is that the default built-in Services Definitions in my UTM for RPD only rely on TCP.. Although and clearly my installation has been done with something like v9.21 and always updated till today, v9.40.xx so this could be an explanation. Though, i've now made my own RDP Service definition including both TCP&UDP and it works fine.

    Thanks again, really appreciated.

    Cordially,

    M.