Invalid state detected DROP (for VPN user)

Martin_Kuchar
Martin_Kuchar Posts: 38  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hello, yesterday we got strange problem with SSL VPN connected users. Both users connected successfully with Secuextender cannot reach internal LAN resources. In Zyxel debug log,
we have "Security Policy Control - Invalid state detected DROP". Reconnecting not solved the issue. Only Zyxel reboot solved it. After Zyxel reboot all worked fine again. The USG ran for 3 weeks before restart without issues. USG110, fw V4.35(AAPH.3)
What exactly means "Invalid state detected"?


All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2020
    The USG is stateful firewall. Packets will be dropped (“Invalid state detected”) if packets with invalid headers, checksums, TCP flags, or ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets. 

    Does the log occur in specific protocol/application when running SecuExtender? 

  • Martin_Kuchar
    Martin_Kuchar Posts: 38  Freshman Member
    First Anniversary Friend Collector First Comment
    Does the log occur in specific protocol/application when running SecuExtender? 

    Hi Cooldia, thank you for clarification about the internal firewall. The log occur typicaly when expected - when unwanted communication come from WAN, but as described, we got it also for two users at one time. One was logged in with SE for some time without issues, but from one moment, he lost internal connections and the log occures. The second user tried to mimic the situation, logged in also with SE from another place in internet, connection was OK, he received IP from DHCP, but cannot reach the internal LAN resources. The same issue in the log. After restarting USG, everything was solved. Looks like problem in TCP stack after 3 weeks of running. But connecting to USG from WAN and also accessing inet from LAN was still OK. Only the firewall in internal communication was problem.


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Martin_Kuchar,

    We may need to further check what had been configured on your device. 

    Can you send me your configuration file via private message?

  • lwi
    lwi Posts: 1
    Friend Collector First Comment
    Hello @Zyxel_Cooldia,

    I have a similar issue on my USG60 with an IKEv2 VPN Tunnel. Is there already a solution? I've deactivated the abnormal tcp flag detection, but that had no effect.Is there anything else I can do?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited December 2020

    Hi @lwi  

    Does the symptom always exist after client established IKEv2 successfully?

    You may make sure local policy and Configuration Payload setting.

    -> Local policy 0.0.0.0 is meaning all of client traffic will pass into USG directly

    -> Pool IP address shouldn’t overlap to any Interface IP subnet.


    And also make sure IKEv2 Pool has routing rule for Internet and Intranet.


    If the symptom is random, you may try to upgrade firmware to 4.60P1.

    It has fixed VPN routing stability issue.

Security Highlight