https://community.sophos.com/sophos-xg-firewall/f/discussions/148051/invalid-traffic-invalid-tcp-state-no-routing-issueHello, I have a problem with mainly HTTPS connections showing up in the log as Invalid Traffic / Invalid TCP state. See screenshots below. example domain is https://telekom.de I have 2 Internet connections with separate NAT and SD-WAN routes. Routingen-USTelligent Community 12https://community.sophos.com/thread/548984?ContentTypeID=1Sat, 23 Nov 2024 10:20:40 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:b822d92b-77dc-466a-85e1-924f56830d27Gerhard Sauer<p>MTU size is 1492&nbsp; on both internet connections</p><div style="clear:both;"></div>https://community.sophos.com/thread/548982?ContentTypeID=1Sat, 23 Nov 2024 08:29:50 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:1c15c710-be51-4463-800d-e2d3867584d6LuCar Toni<p>So, could it be an issue with the MTU size of your WAN GW?&nbsp;</p> <p>Based on your tcpdump, it looks like an issue with the packets coming back from the server. As the servers packets are not valid for the firewall.&nbsp;</p> <p>My firewall(s) are not causing the same issues on any gateway.&nbsp;</p> <p>You could dump it into a file and analyze it via wireshark:&nbsp;<a id="" href="https://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers">https://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers</a>&nbsp;</p> <p><br />BTW: I found an interesting post on this subject:&nbsp;<a id="" href="https://blog.ipspace.net/2016/02/should-firewalls-track-tcp-sequence/">https://blog.ipspace.net/2016/02/should-firewalls-track-tcp-sequence/</a>&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/548981?ContentTypeID=1Sat, 23 Nov 2024 01:55:44 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:63ce77bd-ede9-425e-81e9-fefb469d25a7Gerhard Sauer<p>both wan gateways are active and not on standby.</p> <p>The same happens, when I disable the first internet connection.</p> <p></p> <p>each internet connection uses an own physical ethernet cable and own IP range. SD WAN routing and NAT routing applies to the machines.</p><div style="clear:both;"></div>https://community.sophos.com/thread/548980?ContentTypeID=1Sat, 23 Nov 2024 01:46:09 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:eaecad6a-c1f3-47a3-bbe8-273fa90fe281Gerhard Sauer<p>I cannot open the telekom website at all when tcp seq checking is on (on the second line)</p><div style="clear:both;"></div>https://community.sophos.com/thread/548949?ContentTypeID=1Fri, 22 Nov 2024 14:00:41 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:1c4bd49c-9902-49f4-84ef-2eeb6ca1c722LuCar Toni<p>Just to be sure: Do you have any kind of Issue or is it only about the &quot;invalid traffic&quot; Logging?&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/548947?ContentTypeID=1Fri, 22 Nov 2024 13:13:37 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:150f028e-adea-408c-8875-a898d3d454f9LHerzog<p>How is your WAN Gateway setup? both lines active or one standby? Does the same happen when only one line is disconnected or disabled?</p> <p>First thought is about a asynchronous routing issue but you&#39;d need to dump the traffic on CLI for each in and out interface and see where the packets are actually going.</p> <p>Incoming packets seem to match no active tcp connection - thus being dropped.</p> <p>Also cli tool drppkt may be helpful du analyze.</p> <p>I suspect that the traffic is at least in parts going over different interfaces.</p><div style="clear:both;"></div>