0 Replies Latest reply on Feb 15, 2010 9:28 PM by mark.emery

    Packets arriving on IPSec VPN are dropped as invalid on SG580

      SecureComputing/SG580 Version 3.1.6 -- Tue, 29 Jul 2008 18:01:19 +1000
      Linux version 2.4.31-uc0 (build@sgbuild) (gcc version 3.3.2) #1 Tue Jul 29 20:15:43 EST 2008

      Serial Number: 0601450691330590

       

      The remote SG580 is running V3.1.6 firmware also.

       

      Some packets that are correctly routed to a remote site over the VPN are being dropped as invalid.

      Entry in the SYSLOG:

       

      Feb 16 11:26:41 kernel: Invalid - dropped: IN=ipsec0 OUT=eth0.4 SRC=192.168.0.3 DST=10.0.15.10 LEN=88 TOS=0x00 PREC=0xC0 TTL=63 ID=53207 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=10.20.2.204 [SRC=10.0.15.10 DST=10.20.2.204 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11302 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=4352 ]
      Feb 16 11:55:06 kernel: Invalid - dropped: IN=ipsec0 OUT=eth0.4 SRC=192.168.0.3 DST=10.0.15.10 LEN=88 TOS=0x00 PREC=0xC0 TTL=63 ID=60403 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=10.0.8.10 [SRC=10.0.15.10 DST=10.0.8.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=23173 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=53760 ] 

      The SRC address in the packet is the SG580 LAN address of the remote end of the VPN. The DST address is the Domain Controller on the LAN where the packets are being dropped. The GATEWAY address is either a server at a remote branch or a workstation. The remote servers and workstations are expected to access the domain controller, why would the packets be dropped as invalid?

       

      We have previously had a problem with these routers dropping lots of packets as invalid when they aren't. We have a custom rule provided by technical support we manually add to these routers:

       

      iptables -I InvalidL -j RETURN

       

       

      Any clues as to how to prevent these packets being dropped?