TCP SYN checking exception
Is there a way to create an exception rule for TCP SYN packet and connection state verification?
I am having a problem with two systems that function as system log aggregators and have persistent connections over a BOVPN. When that VPN rekeys or drops for a moment, all traffic continues over the BOVPN as expected except these two log aggregators. These servers each have a single NIC with a single IP. Rebooting these servers is not always possible. The only solution I have is to stop the log collection service for an hour and then restart it.
The Watchguard blocks traffic to the source IP with the following reason:
FWDeny
tcp invalid connection state
pri=4
disp=Deny
policy=Internal-Policy
protocol=xxx/tcp
src_ip=xx.xx.xx.xx
src_port=443
dst_ip=xx.xx.xx.xx
dst_port=xxx
src_intf=External
dst_intf=Firebox
rc=101
pckt_len=40
ttl=127
pr_info=offset 5 AF 2760075664 win 128
3000-0148
Comments
You can unselect the Global setting of "Enable TCP SYN packet and connection state verification"
It may not help your issue.
See: Configure TCP Settings, here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html
And, you should not need to have the log servers stopped for than long.
You can change the timeout value on the policy used to allow these packets over the BOVPN via the Custom Timeout setting.
Thank you. I will try and see what happens next time.
Keep in mind that the "tcp invalid connection state" errors MAY be a red herring.
I always set the Global setting of "Enable TCP SYN packet and connection state verification" OFF.
I see those "tcp invalid connection state" errors a LOT ever since a firmware release several months ago. The target is ALWAYS "dst_intf=Firebox" just as your log shows and the devices showing those errors ALWAYS are working normally.
These error messages are interspersed with the successful Allow messages that show the connections to the actual target IP addresses are working.
Gregg Hill