D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: Lavdd on December 30, 2009, 02:58:36 AM

Title: Log help
Post by: Lavdd on December 30, 2009, 02:58:36 AM

Please explain what is this and how to get rid of it

Code: [Select]

2009-12-30
13:57:36 Warning CONN
600012 LogOpenFails TCP lan
 192.168.0.191
74.125.43.103 57441
80 no_new_conn_for_this_packet
reject
protocol=tcp ipdatalen=20 ack=1 fin=1  
 
and

Code: [Select]

2009-12-30
13:57:34 Notice TCP_OPT
3400005 TCPMSSLogLevel TCP wan
 213.180.204.131
(wan IP) 80
30573 tcp_mss_above_log_level
log
tcpopt=2 mss=8910 mssloglevel=7000 ipdatalen=24 tcphdrlen=24 syn=1 ack=1  

Title: Re: Log help
Post by: Fatman on December 30, 2009, 08:42:37 AM

The D-Link NetDefend Security Center at http://security.dlink.com.tw has a log manual that will explain any log entries you are unsure of.

In this case I believe we are looking at an SPI drop and a MSS error.

Title: Re: Log help
Post by: Lavdd on January 05, 2010, 01:52:31 AM

Well

err in TCP open flag - is there a reason to look through such err or it could be just not loged?

as for MSS, looks like there is no adequate case for MSS to be high so it could be not loged

Title: Re: Log help
Post by: Fatman on January 05, 2010, 08:35:14 AM

System -> Advanced Settings - > IP Settings tend to be where the log settings are for errors such as these.

I would be very interested in the quantity of the first error from particular hosts (a pattern might represent a scan or attack to be aware of, or a piece of benign software on your network that you will need to make adjustments for.

Title: Re: Log help
Post by: Lavdd on January 07, 2010, 05:43:22 AM

Thx for help.

It looks like err in TCP open flag happens all the time from all hosts (even from my own) during inet surf (with port 80 dist), thats why I think there is some conf err. Still cant get what about it. Do u see same when u have ppl browsing internet?

Title: Re: Log help
Post by: Fatman on January 07, 2010, 08:19:03 AM

No, I don't.  It bears some looking into that is for sure.

Title: Re: Log help
Post by: mackop on January 12, 2010, 01:36:22 AM

I have similar problem. The no_new_conn_for_this_packet warning appears from some computers at non regular intervals (I have more or less 200 messages per hour, 100 computers browsing internet).

http://forums.dlink.com/index.php?PHPSESSID=703296aabdd827a232735c76dc00ca08&topic=10349.0 (http://forums.dlink.com/index.php?PHPSESSID=703296aabdd827a232735c76dc00ca08&topic=10349.0)

Title: Re: Log help
Post by: Lavdd on January 12, 2010, 01:47:18 AM

"These events occur quite frequently, most often due to the firewall timing out a connection and one of the end points continuing to send data after the connection has been closed."

http://www.clavister.com/manuals/ver8x/manual/logging/what_is_logged_from_clavister_firewall_.htm (http://www.clavister.com/manuals/ver8x/manual/logging/what_is_logged_from_clavister_firewall_.htm)

Looks like its about Conn. Timeout Settings from Advanced Settings.
Share your exp on this matter plz
What timeouts do you use having no LogOpenFails?

I use thise
(http://img51.imageshack.us/img51/4628/timeouts.jpg)

Title: Re: Log help
Post by: mackop on January 12, 2010, 12:30:44 PM

I have the same problem with no_new_conn_for_this_packet.

In my case:
TCP SYN Idle Lifetime: 60
TCP Idle Lifetime: 262144
TCP FIN Idle Lifetime: 80
UDP Idle Lifetime: 130
Ping Idle Lifetime: 8
Other Protcols Idle Lifetime: 130

I have played a bit with these timeouts, but I have not noticed any important improvements.
Anyway, is not the TCP Idle Lifetime too big? (in my case, dfl-2500, 262144 is default)