TCP Invalid connection state
Using Firebox M440 version 12.6.2. I'm seeing a lot of tcp invalid connection state messages in my traffic monitor. Are these important? This firewall is not for internet traffic. It is firewalling our internal subnets. Here are a couple of samples. In one, the destination is external and the port is 443. On the 2nd one, it's internal windows traffic going from one subnet to another:
2020-12-18 08:38:40 FireboxM440Primary Deny 10.x.x.x 18.214.41.116 https/tcp 44170 443 Datacenter Firebox tcp invalid connection state 40 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 43179066 win 0" Traffic
2020-12-18 08:28:24 FireboxM440Primary Deny 10.x.15.x. 10.x.13.x 51281/tcp 445 51281 Loans Bookkeeping tcp invalid connection state 40 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" tcp_info="offset 5 R 2049075505 win 0" Traffic
Thanks,
Mike
Comments
Sometimes, these are reply packets, such as the 2nd one, which looks like a reply packet for TCP 445 - SMB - Microsoft Networking.
Review this topic:
tcp invalid connection state
https://community.watchguard.com/watchguard-community/discussion/1256/tcp-invalid-connection-state
Ha! It was already answered by my own previous post. Must be getting old. Forgetting things. Thanks Bruce.
Yes, they are still utterly useless messages and they appear a lot for systems that are working 100% normally.
The common point of EVERY one of those messages is that the destination interface is ALWAYS "Firebox" even when the actual target of an internal policy is NOT "Firebox."
Gregg Hill