I'm receiving these firewall messages every few seconds and I'm trying to figure out why. I've seen other posts reference stateless processing as a fix, but I've tried this to no avail. I've also pretty confident that it's not a virus. Anyone have any suggestions?
51" fw=Adtran_3430 pri=1 proto=https src=192.168.1.169 dst=108.160.162.53 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11 Src 64266 Dst 443 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:10:50 FIREWALL id=firewall time="2013-06-07 10:10:50" fw=Adtran_3430 pri=1 proto=5223/tcp src=192.168.1.213 dst=17.149.36.172 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x18 Src 61742 Dst 5223 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:11:29 FIREWALL id=firewall time="2013-06-07 10:11:29" fw=Adtran_3430 pri=1 rule=4 proto=49539/tcp src=74.125.228.64 dst=152.179.138.106 msg="Invalid sequence number received with RST, dropping packet, seq=275857728, high=275785625 Src 80 Dst 49539 from Public policy-class on interface eth 0/1" agent=AdFirewall |
2013.06.07 10:11:59 FIREWALL id=firewall time="2013-06-07 10:11:59" fw=Adtran_3430 pri=1 proto=https src=192.168.1.195 dst=17.146.233.10 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x19 Src 63138 Dst 443 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:12:37 FIREWALL id=firewall time="2013-06-07 10:12:37" fw=Adtran_3430 pri=1 proto=http src=192.168.1.230 dst=74.121.139.110 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11 Src 58169 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:12:45 FIREWALL id=firewall time="2013-06-07 10:12:45" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.173 dst=204.95.24.153 msg="Zero bytes transferred for connection Src 56423 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:12:59 FIREWALL id=firewall time="2013-06-07 10:12:59" fw=Adtran_3430 pri=1 rule=4 proto=32264/tcp src=192.168.1.230 dst=99.89.177.57 msg="Zero bytes transferred for connection Src 53697 Dst 32264 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:13:20 FIREWALL id=firewall time="2013-06-07 10:13:20" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.244 dst=168.143.241.56 msg="Zero bytes transferred for connection Src 60512 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:14:02 FIREWALL id=firewall time="2013-06-07 10:14:02" fw=Adtran_3430 pri=1 rule=4 proto=https src=192.168.1.216 dst=17.172.232.67 msg="Zero bytes transferred for connection Src 49999 Dst 443 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:14:30 FIREWALL id=firewall time="2013-06-07 10:14:30" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.244 dst=23.11.129.224 msg="Zero bytes transferred for connection Src 60540 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:15:09 FIREWALL id=firewall time="2013-06-07 10:15:09" fw=Adtran_3430 pri=1 proto=62784/tcp src=17.172.232.63 dst=152.179.138.106 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11 Src 5223 Dst 62784 from Public policy-class on interface eth 0/1" agent=AdFirewall |
2013.06.07 10:16:01 FIREWALL id=firewall time="2013-06-07 10:16:01" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.230 dst=23.23.227.93 msg="Zero bytes transferred for connection Src 53968 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:16:35 FIREWALL id=firewall time="2013-06-07 10:16:35" fw=Adtran_3430 pri=1 proto=http src=192.168.1.230 dst=98.139.225.43 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11 Src 53845 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:17:11 FIREWALL id=firewall time="2013-06-07 10:17:11" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.173 dst=199.27.72.192 msg="Zero bytes transferred for connection Src 56735 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:17:55 FIREWALL id=firewall time="2013-06-07 10:17:55" fw=Adtran_3430 pri=1 proto=http src=192.168.1.230 dst=74.121.139.110 msg="TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=0x11 Src 58169 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:18:28 FIREWALL id=firewall time="2013-06-07 10:18:28" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.173 dst=66.119.33.141 msg="Zero bytes transferred for connection Src 56786 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:19:04 FIREWALL id=firewall time="2013-06-07 10:19:04" fw=Adtran_3430 pri=1 rule=4 proto=http src=192.168.1.173 dst=54.225.150.190 msg="Zero bytes transferred for connection Src 56866 Dst 80 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:19:32 FIREWALL id=firewall time="2013-06-07 10:19:32" fw=Adtran_3430 pri=1 rule=4 proto=13737/tcp src=192.168.1.215 dst=66.31.142.238 msg="Zero bytes transferred for connection Src 50713 Dst 13737 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:19:58 FIREWALL id=firewall time="2013-06-07 10:19:58" fw=Adtran_3430 pri=1 rule=4 proto=56345/tcp src=93.184.216.139 dst=152.179.138.106 msg="Invalid sequence number received with RST, dropping packet, seq=421122027, high=421042894 Src 443 Dst 56345 from Public policy-class on interface eth 0/1" agent=AdFirewall |
2013.06.07 10:20:28 FIREWALL id=firewall time="2013-06-07 10:20:28" fw=Adtran_3430 pri=1 rule=4 proto=https src=192.168.1.173 dst=54.240.160.17 msg="Zero bytes transferred for connection Src 56922 Dst 443 from Private policy-class on interface eth 0/2" agent=AdFirewall |
2013.06.07 10:21:03 FIREWALL id=firewall time="2013-06-07 10:21:03" fw=Adtran_3430 pri=1 rule=4 proto=17048/tcp src=192.168.1.230 dst=24.61.43.145 msg="Zero bytes transferred for connection Src 54414 Dst 17048 from Private policy-class on interface eth 0/2" agent=AdFirewall |
Thank you for replying with the interface statistics. There doesn't appear to be any errors on the interfaces.
Previously, you mentioned that you didn't think there was a virus on the network, but one of the firewall messages is indicating the possibility of a virus or a port scanner. Please, see the following output from the Configuring the Firewall (IPv4) in AOS:
Zero bytes transferred for connection
Short Definition: Connection with no data
Description: Indicates that an association has been created and has timed out without any data being observed for that connection. This threat can be caused by a port scan. An attacker could send a TCP SYN message to many ports in order to determine whether there are any services listening on those ports with the intention of exploiting those services.
Port scans can be prevented or limited in several ways:
Levi
Thank you for asking this question in the Support Community. After reviewing the event messages you posted above, I think this question has been answered previously in the following post: https://supportforums.adtran.com/message/8052#8052
Please, review that post and let me know if you still have further questions. I will be happy to assist you in any way I can.
Levi
I checked out the other thread, and I have the Firewall config document and know I can disable certain attack checking. If it was logging every few minutes, I'd be tempted not to worry about it. But the frequency of the dropped packets is bothering me and makes me think that there is some sort of config error. Our network functions pretty well, but I've noticed a certain number of requests don't seem to resolve properly and seem to correspond to the logs.
The configuration you attached appears to be a basic firewall configuration, and I do not see any settings that are incorrect and need to be modified on the firewall. One setting you could implement to optimize the firewall configuration is the ip firewall stealth command. The ip firewall stealth command is used to disable Internet Protocol version 4 (IPv4) Transmission Control Protocol (TCP) reset for denied IPv4 firewall associations. The stealth setting allows the route to be invisible as a route hop to associated devices. I do not believe this will eliminate the errors, but it is something that could provide additional security.
Finally, since you mentioned that requests don't resolve, it might be related to errors on the interface. I noticed that you have the Internet port (eth 0/1) hardset to speed 100. Are you certain the other end of that connection is hardset to 100/Full duplex as well? If you would like to reply with the output of the show interface command, I will be happy to review it for you.
Here is a post on port speed negotiations: https://supportforums.adtran.com/message/5310#5310
Levi
Thank you for replying with the interface statistics. There doesn't appear to be any errors on the interfaces.
Previously, you mentioned that you didn't think there was a virus on the network, but one of the firewall messages is indicating the possibility of a virus or a port scanner. Please, see the following output from the Configuring the Firewall (IPv4) in AOS:
Zero bytes transferred for connection
Short Definition: Connection with no data
Description: Indicates that an association has been created and has timed out without any data being observed for that connection. This threat can be caused by a port scan. An attacker could send a TCP SYN message to many ports in order to determine whether there are any services listening on those ports with the intention of exploiting those services.
Port scans can be prevented or limited in several ways:
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi