Topic: Log help (Read 8999 times)

Lavdd · « **on:** December 30, 2009, 02:58:36 AM »

Please explain what is this and how to get rid of it

2009-12-30
13:57:36 Warning CONN
600012 LogOpenFails TCP lan
 192.168.0.191
74.125.43.103 57441
80 no_new_conn_for_this_packet
reject 
protocol=tcp ipdatalen=20 ack=1 fin=1

and

Code: [Select]

2009-12-30
13:57:34 Notice TCP_OPT
3400005 TCPMSSLogLevel TCP wan
 213.180.204.131
(wan IP) 80
30573 tcp_mss_above_log_level
log 
tcpopt=2 mss=8910 mssloglevel=7000 ipdatalen=24 tcphdrlen=24 syn=1 ack=1

Fatman · « **Reply #1 on:** December 30, 2009, 08:42:37 AM »

The D-Link NetDefend Security Center at http://security.dlink.com.tw has a log manual that will explain any log entries you are unsure of.

In this case I believe we are looking at an SPI drop and a MSS error.

Lavdd · « **Reply #2 on:** January 05, 2010, 01:52:31 AM »

Well

err in TCP open flag - is there a reason to look through such err or it could be just not loged?

as for MSS, looks like there is no adequate case for MSS to be high so it could be not loged

Fatman · « **Reply #3 on:** January 05, 2010, 08:35:14 AM »

System -> Advanced Settings - > IP Settings tend to be where the log settings are for errors such as these.

I would be very interested in the quantity of the first error from particular hosts (a pattern might represent a scan or attack to be aware of, or a piece of benign software on your network that you will need to make adjustments for.

Lavdd · « **Reply #4 on:** January 07, 2010, 05:43:22 AM »

Thx for help.

It looks like err in TCP open flag happens all the time from all hosts (even from my own) during inet surf (with port 80 dist), thats why I think there is some conf err. Still cant get what about it. Do u see same when u have ppl browsing internet?

Fatman · « **Reply #5 on:** January 07, 2010, 08:19:03 AM »

No, I don't. It bears some looking into that is for sure.

mackop · « **Reply #6 on:** January 12, 2010, 01:36:22 AM »

I have similar problem. The no_new_conn_for_this_packet warning appears from some computers at non regular intervals (I have more or less 200 messages per hour, 100 computers browsing internet).

http://forums.dlink.com/index.php?PHPSESSID=703296aabdd827a232735c76dc00ca08&topic=10349.0

Lavdd · « **Reply #7 on:** January 12, 2010, 01:47:18 AM »

"These events occur quite frequently, most often due to the firewall timing out a connection and one of the end points continuing to send data after the connection has been closed."

http://www.clavister.com/manuals/ver8x/manual/logging/what_is_logged_from_clavister_firewall_.htm

Looks like its about Conn. Timeout Settings from Advanced Settings.
Share your exp on this matter plz
What timeouts do you use having no LogOpenFails?

I use thise

mackop · « **Reply #8 on:** January 12, 2010, 12:30:44 PM »

I have the same problem with no_new_conn_for_this_packet.

In my case:
TCP SYN Idle Lifetime: 60
TCP Idle Lifetime: 262144
TCP FIN Idle Lifetime: 80
UDP Idle Lifetime: 130
Ping Idle Lifetime: 8
Other Protcols Idle Lifetime: 130

I have played a bit with these timeouts, but I have not noticed any important improvements.
Anyway, is not the TCP Idle Lifetime too big? (in my case, dfl-2500, 262144 is default)

D-Link Forums

News:

Author Topic: Log help (Read 8999 times)

Lavdd

Log help

Fatman

Re: Log help

Lavdd

Re: Log help

Fatman

Re: Log help

Lavdd

Re: Log help

Fatman

Re: Log help

mackop

Re: Log help

Lavdd

Re: Log help

mackop

Re: Log help