FW Log "Could not assocate packet to any connection" when IPS enabled

Clean install of SFOS 17 beta. Used the router Wizard at install time and left all protection types unticked in the wizard.

Created a simple FW rule allowing LAN to WAN port 80 and 443 with an Intrusion prevention policy

Can browse the web without issue, but FW log is full of Rule 0 "Could not associate packet to any connection"

In the log screenshot below you can see several allow hits on my FW Rule, then several blocks on rule 0 for the same source/destination and port.

This repeats through the logs extensively for both port 443 and 80.

If I set intrusion prevention policy to none, this deny goes away. Setting ANY IPS policy, even custom rule with a single signature configured to allow the traffic then this invalid traffic appears all through the FW log.

Parents

john_kenny over 7 years ago

same problem, lots of dropped traffic and ips log is empty.

JK
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Jasin over 7 years ago in reply to john_kenny

I had the same issue, saw tons of the invalid data, web was extremely slow and some pages kept timing out. Browsing web through work VPN was not an issue but all house sites didn't work. So I had to revert back to 16 for now.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
DomNik over 7 years ago in reply to Jasin

I have the same problem when trying to watch Netflix. It worked for about an hour when watching a film and now these errors occur immediately even 12 hours later.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
john_kenny over 7 years ago in reply to DomNik

def seems like the IPS module needs looking at, ive not seen any log entires at all.

JK

JK
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
john_kenny over 7 years ago in reply to Jasin

I put my IPS in lowmem mode and it helped. but i doubt it will work for people using high spec HW.

JK
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
rfcat_vk over 7 years ago in reply to john_kenny

Hi folks,

it appears to be mail and web proxy errors as far as I can see on my XG.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Billybob over 7 years ago in reply to rfcat_vk

As I mentioned earlier, these are conntrack entries that are expiring. Has nothing to do with IPS module otherwise the logs would be in IPS and not Firewall. The default timeout for conntrack is set to 3 hours(10800 seconds) in this beta... I haven't used XG in a few MR releases so don't have any way of looking at older default values to compare with. Also don't know if conntrack invalid packets were actually logged in the GUI before and that is why we never saw them before.

You can change the value to something higher on the console by using

set advanced-firewall tcp-est-idle-timeout 21600 (for 6 hours)

For reference on current UTM9.5, the value is

ip_conntrack_tcp_timeout_established' => 86400

If anything, they need to tune the logging so that the same entries are only repeated once every x amount of seconds in firewall logs.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
rfcat_vk over 7 years ago in reply to Billybob

Hi Billybob,

I changed my MR7 XG while trying to see the current value, thought the command might display the previous value. but no.

How do you get the previous value?

Ian

Update: changed the XG v17b setting, restarted it, started new browser to new sites, still the same error message.

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Reply

rfcat_vk over 7 years ago in reply to Billybob

Hi Billybob,

I changed my MR7 XG while trying to see the current value, thought the command might display the previous value. but no.

How do you get the previous value?

Ian

Update: changed the XG v17b setting, restarted it, started new browser to new sites, still the same error message.

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel

Children

Billybob over 7 years ago in reply to rfcat_vk
Yeah, my testing shows the same errors too. Raising the connection timeout slowed the flood to every 6 hours instead of the default 3 hours.

Typing show advanced-firewall will show the current value. They will have to adjust the verbosity rate at which the packets are being logged but of course I could be wrong and this is some other firewall settings problem.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel