This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Traffic / Invalid TCP state (no routing issue)

Hello,
I have a problem with mainly HTTPS connections showing up in the log as Invalid Traffic / Invalid TCP state. See screenshots below.

example domain is https://telekom.de

I have 2 Internet connections with separate NAT and SD-WAN routes. Routing shows correctly and see workaround below, works for both lines, if TCP Seq Checking is disabled.

So there seems to be an issue with TCP checking not routing. Especially, because most websites do work, even if it is turned on.

Interesting to mention, both internet connections are with the same provider and run through the same router. 1 I checked with packet capturing multiple times, that no routing issue persist. Many connections do work, but with the example of telekom.de it does not work at all on the second line... But if TCP Seq checking is on, the second line works in many cases nevertheless. Packet capture also shows no other packets being delivered somewhere else.

The 80... IP is telekom.de and both internet connections are internally rereferred to as 192.168.12.12 or 192.168.10.10

Current work around is to disable "TCP Seq Checking", then it works.

Issue persists with

SFOS 21.0.0 GA-Build169

and

SFOS 20.0.2 MR-2-Build378

Is something like this a known issue?

How can this be troubleshootet further?

Thank you.

This thread was automatically locked due to age.

0 LHerzog 5 months ago

How is your WAN Gateway setup? both lines active or one standby? Does the same happen when only one line is disconnected or disabled?

First thought is about a asynchronous routing issue but you'd need to dump the traffic on CLI for each in and out interface and see where the packets are actually going.

Incoming packets seem to match no active tcp connection - thus being dropped.

Also cli tool drppkt may be helpful du analyze.

I suspect that the traffic is at least in parts going over different interfaces.
- 0 Gerhard Sauer 4 months ago in reply to LHerzog
  
  both wan gateways are active and not on standby.
  
  The same happens, when I disable the first internet connection.
  
  each internet connection uses an own physical ethernet cable and own IP range. SD WAN routing and NAT routing applies to the machines.
0 LuCar Toni 5 months ago

Just to be sure: Do you have any kind of Issue or is it only about the "invalid traffic" Logging?

__________________________________________________________________________________________________________________
- 0 Gerhard Sauer 4 months ago in reply to LuCar Toni
  
  I cannot open the telekom website at all when tcp seq checking is on (on the second line)
  - 0 LuCar Toni 4 months ago in reply to Gerhard Sauer
    
    So, could it be an issue with the MTU size of your WAN GW?
    
    Based on your tcpdump, it looks like an issue with the packets coming back from the server. As the servers packets are not valid for the firewall.
    
    My firewall(s) are not causing the same issues on any gateway.
    
    You could dump it into a file and analyze it via wireshark: https://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers
    
    BTW: I found an interesting post on this subject: https://blog.ipspace.net/2016/02/should-firewalls-track-tcp-sequence/
    
    __________________________________________________________________________________________________________________
  - 0 Gerhard Sauer 4 months ago in reply to LuCar Toni
    
    MTU size is 1492 on both internet connections