7 Replies Latest reply on Oct 20, 2010 9:21 PM by mark.emery

    What does packet invalid state in SYSLOG mean?

      I get a lot of these messages in SYSLOG:

       

      Oct 20 21:44:21 packet[367]: nf_ct_tcp: invalid state SRC=10.0.15.227 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=13545 DF PROTO=TCP SPT=52936 DPT=1270 WINDOW=16425 ACK URGP=0 
      Oct 20 21:44:21 kernel: __ratelimit: 2 messages suppressed
      Oct 20 21:44:21 packet[367]: nf_ct_tcp: invalid state SRC=10.0.15.215 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=4527 DF PROTO=TCP SPT=59418 DPT=1270 WINDOW=16425 ACK URGP=0 
      Oct 20 21:44:24 packet[367]: nf_ct_tcp: invalid state SRC=10.0.15.12 DST=192.168.0.63 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=27523 DF PROTO=TCP SPT=56011 DPT=1270 WINDOW=515 ACK URGP=0 
      Oct 20 21:44:24 kernel: __ratelimit: 2 messages suppressed
      Oct 20 21:44:33 packet[367]: nf_ct_tcp: invalid state SRC=10.0.15.215 DST=192.168.0.82 LEN=365 TOS=0x00 PREC=0x00 TTL=128 ID=4899 DF PROTO=TCP SPT=59416 DPT=8531 WINDOW=16211 ACK PSH URGP=0 
      Oct 20 21:44:33 kernel: __ratelimit: 10 messages suppressed
      Oct 20 21:44:35 packet[367]: nf_ct_tcp: invalid state SRC=10.0.15.208 DST=192.168.0.82 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1508 DF PROTO=TCP SPT=60893 DPT=8531 WINDOW=16425 ACK URGP=0 
      Oct 20 21:44:35 kernel: __ratelimit: 1 messages suppressed

       

      I can tell these are Microsoft Operation Manager agents trying to report back to the server. The router is running McAfee/SG580 Version 4.0.6u3 firmware.

       

      The router also has a static route for 192.168.0.0/24 to be routed to 10.0.15.2 which is a differnt VPN router on the same subnet.

       

      I expected these invalid packets to be redirected to the other VPN router according to the static route in place.

       

      What is the invalid state referring to?

       

      Cheers,

      Mark.

       

      P.S. Due to the profound incompetence of the McAfee support, folk I am still not able to register for support for the new devices I have purchased for over a year now depsite reporting these problems to the McAfee support people a several occasions.

        • 1. Re: What does packet invalid state in SYSLOG mean?

          The packets may be invalid for a number of reasons.

           

          Being a stateful firewall, packets usually show up in this context due to the 'state' not being correct, possibly due to packet flow that is no longer valid, for example.

           

          you can bypass this invalid check with the following firewall -> packet filtering -> custom firewall rule

           

          iptables -I InvalidL -j RETURN

           

          if you need to test to see if this feature is causing an issue.

          • 2. Re: What does packet invalid state in SYSLOG mean?

            Thanks for the suggestion, I'll try it shortly. I've just upgraded firmware to V4.08 with no change in behaviour.

             

            Is the stateful inspection done before routing? I expected the static route to have redirected those packets before any inspection being done.

             

            Cheers.

            • 3. Re: What does packet invalid state in SYSLOG mean?

              yes, the invalid check ( like all packet filter checks ) is done before routing

              • 4. Re: What does packet invalid state in SYSLOG mean?

                That rule is already in the firewall custom rules.

                It is the only rule there and it says that these rules are instead of builtin rules.

                Cheers.

                • 5. Re: What does packet invalid state in SYSLOG mean?

                  should NOT be instead of builtin rules

                  • 6. Re: What does packet invalid state in SYSLOG mean?

                    Sorry, it's not instead of, that heading is the label for a checkbox which is so far to the right I couldn't see it.

                    The check box is unchecked.

                     

                    If I'm reading this right:

                    Packet Filter Rules
                    Chain INPUT (policy DROP 0 packets, 0 bytes)
                     pkts bytes target     prot opt in     out     source               destination         
                       18   936 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
                        1    40 InvalidL   all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
                    11547 3993K EstabRel   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
                        0     0 PPPoEIn    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
                        1    40 WanIn      all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
                        0     0 PrivIn     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0           
                      678 72207 PrivIn     all  --  eth0.4 *       0.0.0.0/0            0.0.0.0/0           
                        0     0 PrivIn     all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0           
                        0     0 PrivIn     all  --  ipsec1 *       0.0.0.0/0            0.0.0.0/0           
                        0     0 DefDeny    all  --  *      *       0.0.0.0/0            0.0.0.0/0 

                     

                    only one packet has tripped the custom rule while I have a great many recent invalid state messages the the log.

                    • 7. Re: What does packet invalid state in SYSLOG mean?

                      the packet counters reset when the rules are reloaded due to an interface goes up/down, or when you select 'update' on the custom rules page.