I get a lot of these messages in SYSLOG:
Oct 20 21:44:21 packet: nf_ct_tcp: invalid state SRC=10.0.15.227 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=13545 DF PROTO=TCP SPT=52936 DPT=1270 WINDOW=16425 ACK URGP=0
Oct 20 21:44:21 kernel: __ratelimit: 2 messages suppressed
Oct 20 21:44:21 packet: nf_ct_tcp: invalid state SRC=10.0.15.215 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=4527 DF PROTO=TCP SPT=59418 DPT=1270 WINDOW=16425 ACK URGP=0
Oct 20 21:44:24 packet: nf_ct_tcp: invalid state SRC=10.0.15.12 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=27523 DF PROTO=TCP SPT=56011 DPT=1270 WINDOW=515 ACK URGP=0
Oct 20 21:44:24 kernel: __ratelimit: 2 messages suppressed
Oct 20 21:44:33 packet: nf_ct_tcp: invalid state SRC=10.0.15.215 DST=192.168.0.82 LEN=365 TOS=0x00 PREC=0x00 TTL=128 ID=4899 DF PROTO=TCP SPT=59416 DPT=8531 WINDOW=16211 ACK PSH URGP=0
Oct 20 21:44:33 kernel: __ratelimit: 10 messages suppressed
Oct 20 21:44:35 packet: nf_ct_tcp: invalid state SRC=10.0.15.208 DST=192.168.0.82 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1508 DF PROTO=TCP SPT=60893 DPT=8531 WINDOW=16425 ACK URGP=0
Oct 20 21:44:35 kernel: __ratelimit: 1 messages suppressed
I can tell these are Microsoft Operation Manager agents trying to report back to the server. The router is running McAfee/SG580 Version 4.0.6u3 firmware.
The router also has a static route for 192.168.0.0/24 to be routed to 10.0.15.2 which is a differnt VPN router on the same subnet.
I expected these invalid packets to be redirected to the other VPN router according to the static route in place.
What is the invalid state referring to?
P.S. Due to the profound incompetence of the McAfee support, folk I am still not able to register for support for the new devices I have purchased for over a year now depsite reporting these problems to the McAfee support people a several occasions.
The packets may be invalid for a number of reasons.
Being a stateful firewall, packets usually show up in this context due to the 'state' not being correct, possibly due to packet flow that is no longer valid, for example.
you can bypass this invalid check with the following firewall -> packet filtering -> custom firewall rule
iptables -I InvalidL -j RETURN
if you need to test to see if this feature is causing an issue.
Thanks for the suggestion, I'll try it shortly. I've just upgraded firmware to V4.08 with no change in behaviour.
Is the stateful inspection done before routing? I expected the static route to have redirected those packets before any inspection being done.
Sorry, it's not instead of, that heading is the label for a checkbox which is so far to the right I couldn't see it.
The check box is unchecked.
If I'm reading this right:
|Packet Filter Rules|
Chain INPUT (policy DROP 0 packets, 0 bytes)
only one packet has tripped the custom rule while I have a great many recent invalid state messages the the log.