We recently configured our Netvanta 3200 as follows:
Since then, we’ve noticed three reoccurring log entries which we were hoping you could help us understand. The one that has us most puzzled is the “Connection timed out” entry which seems to occure about every 15 minutes, but not exactly. The other two happen less frequently. We’d like to know what they mean and what is causing them:
2012.02.24 10:38:17 FIREWALL id=firewall time="2012-02-24 10:38:17" fw=Adtran3200 pri=6 rule=1 proto=42834/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Service access request successful ICMP Type: 8 Code: 0 from default policy-class on interface fr 1.500" agent=AdFirewall
2012.02.24 11:40:49 FIREWALL id=firewall time="2012-02-24 11:40:49" fw=Adtran3200 pri=6 rule=1 proto=15714/icmp src=xx.xxx.136.125 dst=xxx.xxx.134.158 msg="Connection timed out.Bytes transferred : 112 from default policy-class on interface fr 1.500" agent=AdFirewall
2012.02.24 11:02:25 FIREWALL id=firewall time="2012-02-24 11:02:25" fw=Adtran3200 pri=6 rule=1 proto=https src=xxx.xxx.113.83 dst=xxx.xxx.134.158 msg="Connection closed.Bytes transferred : 3326 Src 51522 Dst 443 from default policy-class on interface fr 1.500" agent=AdFirewall
Your help is greatly appreciated!
Asteriskuser,
Firewall messages are displayed any time an Adtran router drops a packet or a special firewall event occurs. These will pop up in any situations as there are common mis-configurations on user units that can cause malformed packets that our firewall will get rid off. It will obviously also drop packets it feels are malicious.
The first message is an ICMP message of type 8 which is an echo reply. The firewall is simply stating here that it recieved an echo reply from something that it didn't see an echo request from. This is a common message.
The second is a "connection timeout message" which will happen when a session is dropped for some reason or becomes idle for too long. This, since it shows protocol ICMP, could have been a ping that was sent out opening a session, the response never came, and so the firewall shut down the session so that an illegitimate packet could not be matched to it.
The third message is a "connection closed" message. This will have when the firewall closes a session on its own. It can do this for many reasons, being it feels that the session is done, neither side is responding anymore, or something in the session like source and destination IPs don't match.
These are all common messages and I would not be concerned with them unless you are actually having network problems, or the same IPs frequently show up in messages. If they do, you may want to check those devices for possible security breaches.
Thanks,
Evan
Adtran TSE
Asteriskuser,
Firewall messages are displayed any time an Adtran router drops a packet or a special firewall event occurs. These will pop up in any situations as there are common mis-configurations on user units that can cause malformed packets that our firewall will get rid off. It will obviously also drop packets it feels are malicious.
The first message is an ICMP message of type 8 which is an echo reply. The firewall is simply stating here that it recieved an echo reply from something that it didn't see an echo request from. This is a common message.
The second is a "connection timeout message" which will happen when a session is dropped for some reason or becomes idle for too long. This, since it shows protocol ICMP, could have been a ping that was sent out opening a session, the response never came, and so the firewall shut down the session so that an illegitimate packet could not be matched to it.
The third message is a "connection closed" message. This will have when the firewall closes a session on its own. It can do this for many reasons, being it feels that the session is done, neither side is responding anymore, or something in the session like source and destination IPs don't match.
These are all common messages and I would not be concerned with them unless you are actually having network problems, or the same IPs frequently show up in messages. If they do, you may want to check those devices for possible security breaches.
Thanks,
Evan
Adtran TSE
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor