Invalid state detected DROP (for VPN user)
Martin_Kuchar
Posts: 38 Freshman Member
Hello, yesterday we got strange problem with SSL VPN connected users. Both users connected successfully with Secuextender cannot reach internal LAN resources. In Zyxel debug log,
we have "Security Policy Control - Invalid state detected DROP". Reconnecting not solved the issue. Only Zyxel reboot solved it. After Zyxel reboot all worked fine again. The USG ran for 3 weeks before restart without issues. USG110, fw V4.35(AAPH.3)
What exactly means "Invalid state detected"?
we have "Security Policy Control - Invalid state detected DROP". Reconnecting not solved the issue. Only Zyxel reboot solved it. After Zyxel reboot all worked fine again. The USG ran for 3 weeks before restart without issues. USG110, fw V4.35(AAPH.3)
What exactly means "Invalid state detected"?
0
All Replies
-
Hi @Martin_Kuchar,The USG is stateful firewall. Packets will be dropped (“Invalid state detected”) if packets with invalid headers, checksums, TCP flags, or ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets.Does the log occur in specific protocol/application when running SecuExtender?0
-
Zyxel_Cooldia said:Does the log occur in specific protocol/application when running SecuExtender?Hi Cooldia, thank you for clarification about the internal firewall. The log occur typicaly when expected - when unwanted communication come from WAN, but as described, we got it also for two users at one time. One was logged in with SE for some time without issues, but from one moment, he lost internal connections and the log occures. The second user tried to mimic the situation, logged in also with SE from another place in internet, connection was OK, he received IP from DHCP, but cannot reach the internal LAN resources. The same issue in the log. After restarting USG, everything was solved. Looks like problem in TCP stack after 3 weeks of running. But connecting to USG from WAN and also accessing inet from LAN was still OK. Only the firewall in internal communication was problem.
0 -
Hi @Martin_Kuchar,
We may need to further check what had been configured on your device.
Can you send me your configuration file via private message?
0 -
Hello @Zyxel_Cooldia,
I have a similar issue on my USG60 with an IKEv2 VPN Tunnel. Is there already a solution? I've deactivated the abnormal tcp flag detection, but that had no effect.Is there anything else I can do?
0 -
Hi @lwi
Does the symptom always exist after client established IKEv2 successfully?
You may make sure local policy and Configuration Payload setting.
-> Local policy 0.0.0.0 is meaning all of client traffic will pass into USG directly
-> Pool IP address shouldn’t overlap to any Interface IP subnet.
And also make sure IKEv2 Pool has routing rule for Internet and Intranet.
If the symptom is random, you may try to upgrade firmware to 4.60P1.
It has fixed VPN routing stability issue.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight