Whats is meaning of & how to resolve USG Security Policy log with msg="invalid state detected, DROP"

warwickt

Hi Zyxel-lads,  on one of my USG60's  event logs I'm seeing many msg="invalid state detected, DROP"

These are Security Policy log events ... these are all blocked by the default DENY rule.

Here's an example with localised stuff faked out... (ipv4 WAN src / dest. M.A.C" 

<div>Feb &nbsp;1 15:22:17 myrouter src="xxx.xxx.xxx.xxx: 64646" dst="my.usg60’s.wan1.ipv4:nnn" <b>msg="invalid state detected, DROP" </b>note="ACCESS BLOCK" user="unknown" devID="60319xxyyzz" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"

</div><div>Feb &nbsp;1 15:22:17 myrouter src="xxx.xxx.xxx.xxx: 64646" dst="my.usg60’s.wan1.ipv4:nnn" <b>msg="invalid state detected, DROP"</b> note="ACCESS BLOCK" user="unknown" devID="60319xxyyzz" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"</div>

I'd like to know the meaning of this Policy Router default BLOCK and what is involved to resolve it.

Any clues?

Any help is thankfully received.

B/R

Warwick
Hong Kong

Zyxel_Charlie

Hello Warwick,
The USG is stateful firewall, so if the session does not follow the standard of TCP protocol, the "invalid state detected, DROP" will occur. For example, during the communication, the USG is between Server and client, and if server just send the rest packet to usg to complete the connection, the client will still send the request to USG.(because client does not know server finished the communication) This will cause USG drop the client session and show "invalid state detected, DROP".  Another case is that when the USG receive session from unknown user, the usg will drop this session.
Charlie

warwickt

Hi Charlie.. thanks for the great explanation.  

My local fix: I've rectified the perfuse messages by correcting a Policy route tat was on error.

Thanks again mate!

warwick
Hong Kong