Thread Info
  • Replies 20 replies
  • Subscribers 14 subscribers
  • Views 64785 views
  • Users 0 members are here
Options
Suggested

FW Log "Could not assocate packet to any connection" when IPS enabled

splarksop

Clean install of SFOS 17 beta. Used the router Wizard at install time and left all protection types unticked in the wizard.

Created a simple FW rule allowing LAN to WAN port 80 and 443 with an Intrusion prevention policy

 

Can browse the web without issue, but FW log is full of Rule 0 "Could not associate packet to any connection"

 

In the log screenshot below you can see several allow hits on my FW Rule,  then several blocks on rule 0  for the same source/destination and port.

This repeats through the logs extensively for both port 443 and 80. 

 

 

If I set intrusion prevention policy to none, this deny goes away. Setting ANY IPS policy, even custom rule with a single signature configured to allow the traffic  then this invalid traffic appears all through the FW log.

 

Parents Reply Children
  • in reply to john_kenny

    Hi folks,

    it appears to be mail and web proxy errors as far as I can see on my XG.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to rfcat_vk

    As I mentioned earlier, these are conntrack entries that are expiring. Has nothing to do with IPS module otherwise the logs would be in IPS and not Firewall. The default timeout for conntrack is set to 3 hours(10800 seconds) in this beta... I haven't used XG in a few MR releases so don't have any way of looking at older default values to compare with. Also don't know if conntrack invalid packets were actually logged in the GUI before and that is why we never saw them before.

    You can change the value to something higher on the console by using 

    set advanced-firewall tcp-est-idle-timeout 21600 (for 6 hours)

    For reference on current UTM9.5, the value is

    ip_conntrack_tcp_timeout_established' => 86400

    If anything, they need to tune the logging so that the same entries are only repeated once every x amount of seconds in firewall logs.

  • in reply to Billybob

    Hi Billybob,

    I changed my MR7 XG while trying to see the current value, thought the command might display the previous value. but no.

    How do you get the previous value?

     

    Ian

     

    Update: changed the XG v17b setting, restarted it, started new browser to new sites, still the same error message.

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in reply to rfcat_vk

    Yeah, my testing shows the same errors too. Raising the connection timeout slowed the flood to every 6 hours instead of the default 3 hours.

    Typing show advanced-firewall will show the current value. They will have to adjust the verbosity rate at which the packets are being logged but of course I could be wrong and this is some other firewall settings problem.

     

     
Unfiltered HTML