Thread Info
  • Replies 20 replies
  • Subscribers 14 subscribers
  • Views 65480 views
  • Users 0 members are here
Options
Suggested

FW Log "Could not assocate packet to any connection" when IPS enabled

splarksop

Clean install of SFOS 17 beta. Used the router Wizard at install time and left all protection types unticked in the wizard.

Created a simple FW rule allowing LAN to WAN port 80 and 443 with an Intrusion prevention policy

 

Can browse the web without issue, but FW log is full of Rule 0 "Could not associate packet to any connection"

 

In the log screenshot below you can see several allow hits on my FW Rule,  then several blocks on rule 0  for the same source/destination and port.

This repeats through the logs extensively for both port 443 and 80. 

 

 

If I set intrusion prevention policy to none, this deny goes away. Setting ANY IPS policy, even custom rule with a single signature configured to allow the traffic  then this invalid traffic appears all through the FW log.

 

Parents

  • The problem with NetFlix is still valid for Beta 2. :-(

    Any new ideas how to solve this?

     

    //Update:

    I did some testing since I'm able to reproduce the problem with Netflix streaming with http/80.

    This is the behavior I was able to reproduce on beta 1 and beta 2:

    - Update/reboot the system with the beta firmware

    - Start Netflix streaming

    - Streaming stops with an error after approx. 45 minutes

    - Log is full of "Could no associate...." errors with the source IP of the streaming client (Amazon FireTV stick in this case)

     

    The workaround I found:

    - Open the related FW rule and disable ANYTHING in the box "Web Malware and Content Scanning" ...

    - ...AND set the "Web policy" to NONE in the "Advanced" box.

     

    Afterwards it's working again without any problems. 

    So I guess it has something to do with the "Web" component, which might run into a problem after some time?!

    It seems to work if you make sure that the FW rule won't use the "Web" component at all.

     

    Although you might not notice any problems during normal web surfing, I think this is a serious bug in v17.

     

    Best Regards and a nice weekend :)

    DomNik

  • in reply to DomNik

    Hi,

    Thank you for the feedback.

    The logs 'Could not associate packet to any connection.', is generated in following case:

    • In case appliance receives any packet, which does not have an already established connection. Hence no associated conntrack is found for that particular packet.
    • The connection from the appliance has timed out, but client is still retrying by re-transmitting packets with old connection id.
    • This invalid log reason, is not due to any error in appliance or configuration issue. Rather it occurs due to network packets received by appliance for which it has no related connection.

    Invalid traffic logging can be turned OFF, to avoid logging these packets frequently.

    Earlier this logging was disabled by default, which could be the reason of not noticing these logging.We have enabled "Invalid traffic" logging in SFOSv17 with factory default configuration.

     

    Regards,

    Deepti

  • in reply to deeptibhavsar

    I know we are reaching the end of the beta and you guys are trying to wrap up and tie loose ends but the problem is not what the logic behind the logs is. We want to know why they are generated in such huge numbers and how to fix the problem. Turning off a chattering logging subsystem is not the answer. I explained the problem in a little more detail in the other thread https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/96650/numerous-could-not-associate-packet-to-any-connection-messages-in-the-firewall-log/351500#351500 

    Regards

Reply Children
No Data
Unfiltered HTML