tcp invalid connection state

Running: Firebox M440 on version 12.6.2. I just upgraded from version 12.5.2. I'm seeing a lot of denies that I didn't see before. Message is "tcp invalid connection state". However, I noticed that the message ID is 3000-0148. On my older firebox, that same ID corresponds with the message "Unhandled internal packet". Is this a change that was made in the newer versions or is there something else going on?

Thanks.

Comments

  • From the WatchGuard Log Catalog for 30000148:
    "Details of normal traffic either allowed or denied by the firewall policy specified in the log message"
    https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_6.pdf

    This is just another annoying not useful log message that IMHO should not show up in Traffic Monitor as there is no benefit to seeing it, there nothing we can do to identify the cause and there does not seem to be any impact to users.

  • We have been asking for a while for WatchGuard to give us the ability to turn off those utterly useless and misleading messages.

    Gregg Hill

  • FYI: I opened a case and was told this. I was told there is a difference between the Unhandled Packet message and the TCP connection state message. Basically, the unhandled message is reporting that there is no firewall policy for the communication shown. The TCP connection state message I was getting was a result of requests being sent out of the firewall but no reply was received back. I'm getting that message because we have an upstream firewall that was blocking that specific traffic.

  • I believe that "...was a result of requests being sent out of the firewall..." is incorrect because I get the messages from internal and external IP addresses.

    The common point of EVERY one of those messages is that the destination interface is ALWAYS "Firebox" even when the actual target of an internal policy is NOT the Firebox.

    Gregg Hill

Sign In to comment.