Whats is meaning of & how to resolve USG Security Policy log with msg="invalid state detected, DROP"

warwickt
warwickt Posts: 111  Ally Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security
Hi Zyxel-lads,  on one of my USG60's  event logs I'm seeing many msg="invalid state detected, DROP"

These are Security Policy log events ... these are all blocked by the default DENY rule.

Here's an example with localised stuff faked out... (ipv4 WAN src / dest. M.A.C" 

<div>Feb &nbsp;1 15:22:17 myrouter src="xxx.xxx.xxx.xxx: 64646" dst="my.usg60’s.wan1.ipv4:nnn" <b>msg="invalid state detected, DROP" </b>note="ACCESS BLOCK" user="unknown" devID="60319xxyyzz" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"

</div><div>Feb &nbsp;1 15:22:17 myrouter src="xxx.xxx.xxx.xxx: 64646" dst="my.usg60’s.wan1.ipv4:nnn" <b>msg="invalid state detected, DROP"</b> note="ACCESS BLOCK" user="unknown" devID="60319xxyyzz" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="ANY:ANY" protoID=6 proto="others"</div>


I'd like to know the meaning of this Policy Router default BLOCK and what is involved to resolve it.

Any clues?

Any help is thankfully received.

B/R

Warwick
Hong Kong

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hello Warwick,
    The USG is stateful firewall, so if the session does not follow the standard of TCP protocol, the "invalid state detected, DROP" will occur. For example, during the communication, the USG is between Server and client, and if server just send the rest packet to usg to complete the connection, the client will still send the request to USG.(because client does not know server finished the communication) This will cause USG drop the client session and show "invalid state detected, DROP".  Another case is that when the USG receive session from unknown user, the usg will drop this session.
    Charlie

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi Charlie.. thanks for the great explanation. :3 

    My local fix: I've rectified the perfuse messages by correcting a Policy route tat was on error.

    Thanks again mate!

    warwick
    Hong Kong 

Security Highlight