These log messages refer to the TCP category.
2.50.1. [ID: 102] Ambiguous MSS announcement
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous MSS announcement.
- Default Log Severity
- Warning
- Parameters
- old, new, effective, tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Not all of these packets announced the same
Maximum Segment Size (MSS). The gateway will act as if the value of the parameter effective was announced in all packets that had the SYN flag set on this flow.
- Gateway Action
- Accept
- Action Description
- The gateway accepted the new MSS announcement as the new effective MSS for the flow
- Proposed Action
- None
2.50.2. [ID: 189] TCP MSS too high
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too high.
- Default Log Severity
- Notice
- Parameters
- mss, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
- Gateway Action
- Adjust
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The
limit is configured in the setting TCPSettings:TCPMSSMax.
2.50.3. [ID: 393] TCP MSS too low
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too low.
- Default Log Severity
- Notice
- Parameters
- mss, min, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
- Gateway Action
- Adjust
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit
is configured in the setting TCPSettings:TCPMSSMin.
2.50.4. [ID: 591] Oversized TCP window
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Oversized TCP window.
- Default Log Severity
- Information
- Parameters
- windowsize, max, state, flow, pkt, user, userid
- Explanation
- The packet's announced receive window exceeded the configured limit. This event is only logged once per flow.
- Gateway Action
- Adjust
- Action Description
- The size of the announced receive window was lowered below the configured limit
- Proposed Action
- Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.
2.50.5. [ID: 416] Ambiguous SACK permission announced
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous SACK permission announced.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets granted
the peer permission to send SACK options.
- Gateway Action
- Allow
- Action Description
- The gateway will allow packets with the SACK option from the peer on this flow-pair
- Proposed Action
- None
2.50.6. [ID: 307] Ambiguous SACK permission announced
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous SACK permission announced.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets granted
the peer permission to send SACK options.
- Gateway Action
- Deny
- Action Description
- The gateway will drop packets with the SACK option from the peer on this flow-pair
- Proposed Action
- If this seems to cause problems, for instance, through packet drops generating "not negotiated option" logs pointing at the
SACK option, then changing the setting TCPSettings:TCPOPT_SACK so that the gateway will strip the SACK option and there by disabling the use of SACK options could be used as a workaround.
2.50.7. [ID: 246] Ambiguous window scale negotiation
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous window scale negotiation.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets has proposed
to use the window scale option.
- Gateway Action
- Disable
- Action Description
- The gateway will act as if the negotiation of window scale failed on this flow-pair. This means that it will not apply any
shift count when processing the window information in subsequent packets. This will also affect the validation of sequence
numbers since that depends on the window information
- Proposed Action
- If this seems to cause problems, for instance, with the sequence number validation, then changing the setting TCPSettings:TCPOPT_WSOPT so that the gateway will strip the Window Scale option and there by disabling the use of Window Scale options could be used
as a workaround.
2.50.8. [ID: 551] Ambiguous window scale negotiation
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous window scale negotiation.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Some, but not all, of these packets has proposed
to use the window scale option.
- Gateway Action
- Enable
- Action Description
- The gateway will act as if window scale was successfully negotiated on this flow-pair. This means that it will use the announced
shift counts when processing the window information in subsequent packets. This will also affect the validation of sequence
numbers since that depends on the window information
- Proposed Action
- None
2.50.9. [ID: 565] SACK block with invalid range
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- SACK block with invalid range.
- Default Log Severity
- Warning
- Parameters
- sackblock, tcpopt, flow, pkt, user, userid
- Explanation
- The TCP packet had a SACK option containing a block with an empty or inverted range, that is, a range that runs from a higher
sequence number to a lower sequence number.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet.
2.50.10. [ID: 411] Resent SYN with mismatching window scale[...]
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Resent SYN with mismatching window scale proposal.
- Default Log Severity
- Warning
- Parameters
- new, effective, tcpopt, flow, pkt, user, userid
- Explanation
- The gateway has received a retransmission of a packet with the SYN flag set. The retransmitted packet announced a different
Window Scale shift count than the original packet and is therefore dropped.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this seems to cause problems, then changing the setting TCPSettings:TCPOPT_WSOPT so that the gateway will strip the Window Scale option and there by disabling the use of Window Scale options could be used
as a workaround.
2.50.11. [ID: 545] Disallowed flag set
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed flag set.
- Default Log Severity
- Warning
- Parameters
- flag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an uncommon, unusual or poorly standardized flag set.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.
2.50.12. [ID: 202] Bad TCP option length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Bad TCP option length.
- Default Log Severity
- Warning
- Parameters
- tcpopt, len, expectlen, setting, flow, pkt, user, userid
- Explanation
- While parsing the TCP header an option with an invalid length, for that specific option type, was found.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.13. [ID: 596] TCP segment exceeds previous FIN
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- TCP segment exceeds previous FIN.
- Default Log Severity
- Warning
- Parameters
- seqno, max, flags, state, flow, pkt, user, userid
- Explanation
- The TCP packet ended at a higher sequence number than the sequence number assigned to the FIN flag by a previous packet. Since
the FIN flag signals the end of the data stream, packets with higher sequence numbers should not occur. The parameter seqno contains the last sequence number transported in the segment and the parameter max contains the sequence number immediately before the previously received FIN.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqNumValidationMode controls how strictly the gateway validates sequence numbers.
2.50.14. [ID: 547] TCP FIN flag set without the ACK flag
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP FIN flag set without the ACK flag.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The TCP packet had the FIN flag set but the ACK flag cleared. This combination is normally invalid.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPFinNoAck controls how the gateway handles packets with this flag combination.
2.50.15. [ID: 113] Disallowed flag combination
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed flag combination.
- Default Log Severity
- Warning
- Parameters
- goodflag, badflag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an unusual, and normally invalid, flag combination set.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.
2.50.16. [ID: 388] Invalid TCP checksum
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Invalid TCP checksum.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The packet's TCP checksum was invalid.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- TCP checksum verification is controlled by the setting TCPSettings:TCPChecksumVerification.
2.50.17. [ID: 359] Invalid TCP option length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Invalid TCP option length.
- Default Log Severity
- Warning
- Parameters
- tcpopt, len, setting, flow, pkt, user, userid
- Explanation
- A TCP option with explicit length had an invalid length. No option with explicit length can be shorter than two bytes (one
byte to indicate the kind of option and one byte to indicate the length).
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.18. [ID: 139] Invalid reset sequence number in state SYN[...]
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Invalid reset sequence number in state SYN RECVD.
- Default Log Severity
- Warning
- Parameters
- seqno, min, max, flow, pkt, user, userid
- Explanation
- A reset packet was received from the originator of the connection before any SYN-ACK was received from the terminator side.
Resets under these conditions are required to have a sequence number in close proximity to the sequence number of the SYN
packet to be considered valid.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Configuring the TCP sequence number validation in audit mode using the setting TCPSettings:TCPSeqNumValidationMode can be used as a workaround.
2.50.19. [ID: 187] TCP MSS too high
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too high.
- Default Log Severity
- Warning
- Parameters
- mss, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The
limit is configured in the setting TCPSettings:TCPMSSMax.
2.50.20. [ID: 312] TCP MSS too low
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too low.
- Default Log Severity
- Warning
- Parameters
- mss, min, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit
is configured in the setting TCPSettings:TCPMSSMin.
2.50.21. [ID: 571] New acknowledgment in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- New acknowledgment in ICMP message.
- Default Log Severity
- Warning
- Parameters
- ackseqno, max, state, flow, pkt, user, userid
- Explanation
- The acknowledgment in an ICMP encapsulated TCP packet was higher than any acknowledgment processed on the flow.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.22. [ID: 375] Not forwarded sequence number in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Not forwarded sequence number in ICMP message.
- Default Log Severity
- Warning
- Parameters
- seqno, len, max, flow, pkt, user, userid
- Explanation
- The sequence number in an ICMP encapsulated TCP packet was higher than any sequence number processed on the flow.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.23. [ID: 456] Non-zero header padding
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-zero header padding.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip
this information from the packet to prevent unfiltered data from being tunneled within the padding.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.
2.50.24. [ID: 493] SACK block announced data not sent
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- SACK block announced data not sent.
- Default Log Severity
- Warning
- Parameters
- sackblock, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The SACK option in the packet announced that data not yet sent by the peer already had been received.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.25. [ID: 447] TCP NULL packet
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP NULL packet.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The TCP packet had none of the flags SYN, FIN, RST or ACK set.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. Secondly, review the setting TCPSettings:TCPNULL which controls the gateway's behavior when receiving such packets.
2.50.26. [ID: 449] Non-first SACK block announced acknowledged[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-first SACK block announced acknowledged data.
- Default Log Severity
- Warning
- Parameters
- sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
- Explanation
- A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the
first SACK block is allowed to do that.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.27. [ID: 437] Disallowed TCP option
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed TCP option.
- Default Log Severity
- Warning
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- The packet contained an option of the kind indicated by the parameter tcpopt.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.
2.50.28. [ID: 173] SYN only option in non-SYN segment
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- SYN only option in non-SYN segment.
- Default Log Severity
- Warning
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior
can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.
2.50.29. [ID: 373] TCP option length missing
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP option length missing.
- Default Log Severity
- Warning
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- A TCP option with explicit length was found at a position in the header such that the length information fell outside of the
header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.30. [ID: 182] Oversized TCP segment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Oversized TCP segment.
- Default Log Severity
- Warning
- Parameters
- mss, datalen, hdrlen, state, flow, pkt, user, userid
- Explanation
- The packet exceeded the Maximum Segment Size (MSS) announced by the peer. If no MSS has been announced, an MSS of 536/1220
is assumed for TCP over IPv4/IPv6.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPOversizedSegment controls if the gateway should check that the MSS is obeyed and what actions it should take when the MSS is exceeded.
2.50.31. [ID: 369] Oversized TCP window in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Oversized TCP window in ICMP message.
- Default Log Severity
- Warning
- Parameters
- windowsize, max, state, flow, pkt, user, userid
- Explanation
- The TCP window in the ICMP encapsulated packet exceeded the maximal window limit. This is erroneous since no packet that exceeded
the limit has been forwarded.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.
2.50.32. [ID: 227] TCP option does not fit in the header
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP option does not fit in the header.
- Default Log Severity
- Warning
- Parameters
- tcpopt, len, avail, setting, flow, pkt, user, userid
- Explanation
- A TCP option with a length that exceeded the remaining part of the header was found in the packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.33. [ID: 200] Too high TCP sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too high TCP sequence number.
- Default Log Severity
- Warning
- Parameters
- seqno, len, min, max, windowsize, gap, flags, state, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet was above the receive window announced by the receiver of the packet. This is normally
invalid and should not occur, however, there are a few exceptions, the primary exception being if the receiver recently has
reduced it receive window.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's response to this event is controlled by the setting TCPSettings:TCPSeqNumValidationMode.
2.50.34. [ID: 463] Too low FIN sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low FIN sequence number.
- Default Log Severity
- Warning
- Parameters
- seqno, min, state, flow, pkt, user, userid
- Explanation
- The packet had the FIN flag set but a sequence number that had already been used for data. The FIN flag is logically located
at the end of the data stream and should have a previously unused sequence number.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting
TCPSettings:TCPSeqNumValidationMode can be used as a workaround.
2.50.35. [ID: 168] Too low TCP sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low TCP sequence number.
- Default Log Severity
- Warning
- Parameters
- seqno, len, min, max, windowsize, gap, flags, state, loglevel, value, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet was below the receive window announced by the receiver of the packet. The reason for
why this event occurs can be as simple as timing. When a receiver of a data stream receives the next part of the stream it
will move its receive window forward. Gateways on the path between the sender and the receiver of the data stream will pick
up this information before it reaches the sender. This mean that when the sender retransmits a segment it may fall within
the receive window known to the sender but if the original segment in fact was received by the receiver then a new receive
window announcement, that does not include the segment, may be on the way from the receiver to the sender. A gateway that
picks up the new receive window announcement before the retransmitted segment will come to the conclusion that the segment's
sequence number is too low.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqTooLowLogLevel is the tool that can be used to filter out normal/expected occurrences of this event. The configured log level is shown in
the parameter loglevel and the parameter value holds the corresponding value for this packet. The gateway's response to this event is also controlled by the setting TCPSettings:TCPSeqNumValidationMode.
2.50.36. [ID: 103] Too low sequence number in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low sequence number in ICMP message.
- Default Log Severity
- Warning
- Parameters
- seqno, min, max, loglevel, value, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet encapsulated in an ICMP message was below the receive window announced by the intended
receiver of the encapsulated packet. Either the sequence number had already been acknowledged or it had never been used at
all.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqNumValidationMode is the primary control of the gateway's response to this event. To filter out event caused by network conditions the setting
TCPSettings:TCPSeqTooLowLogLevel also applies. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet.
2.50.37. [ID: 145] Truncated TCP header encapsulated in ICMP[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Truncated TCP header encapsulated in ICMP message.
- Default Log Severity
- Warning
- Parameters
- avail, hdrlen, setting, flow, pkt, user, userid
- Explanation
- Only a part of encapsulated packet's TCP header was available in the ICMP packet. The parameter avail shows how much of the encapsulated packet's IP payload that was available and the hdrlen holds the length of the TCP header.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPTruncHeaderInICMP controls how the gateway handles ICMP packets with a truncated TCP header in the encapsulated packet.
2.50.38. [ID: 210] Too high TCP acknowledgment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too high TCP acknowledgment.
- Default Log Severity
- Warning
- Parameters
- ackseqno, max, gap, state, flow, pkt, user, userid
- Explanation
- The TCP acknowledgment in the packet announced that data not yet sent by the peer already had been received.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.39. [ID: 444] Unacceptable initial TCP acknowledgment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Unacceptable initial TCP acknowledgment.
- Default Log Severity
- Warning
- Parameters
- ackseqno, min, max, state, flow, pkt, user, userid
- Explanation
- The first TCP acknowledgment received on the flow did not match the sequence numbers of the packets sent in the other direction.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.40. [ID: 217] Unused non-zero ACK
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero ACK.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating
systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established
connections.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.
2.50.41. [ID: 527] Unused non-zero urgent pointer
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero urgent pointer.
- Default Log Severity
- Warning
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.
2.50.42. [ID: 538] Fragmented TCP header encapsulated in ICMP[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Fragmented TCP header encapsulated in ICMP message.
- Default Log Severity
- Warning
- Parameters
- flow, pkt, user, userid
- Explanation
- An ICMP packet encapsulating a TCP packet was received. The TCP header in the encapsulated packet was split into several parts
due to IP fragmentation. Either the ICMP packet was fragmented or the encapsulated TCP packet was a fragment. Either way,
the fragmentation had to target an unreasonable low MTU for that to occur so the packet was considered invalid.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.50.43. [ID: 267] TCP header length exceeds IP payload length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP header length exceeds IP payload length.
- Default Log Severity
- Warning
- Parameters
- hdrlen, iplen, flow, pkt, user, userid
- Explanation
- The TCP header claimed to be larger than the size of the IP payload that it was contained within.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. If the problem can't be fixed at the source then the
log message can be turned off by configuring the log receivers or turning the setting TCPSettings:TCPLogInvalidHeaderLen off.
2.50.44. [ID: 299] Ambiguous MSS announcement
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Ambiguous MSS announcement.
- Default Log Severity
- Warning
- Parameters
- old, new, effective, tcpopt, flow, user, userid
- Explanation
- The gateway has received several packets with the SYN flag set, on this flow. Not all of these packets announced the same
Maximum Segment Size (MSS). The gateway will act as if the value of the parameter effective was announced in all packets that had the SYN flag set on this flow.
- Gateway Action
- Ignore
- Action Description
- The gateway ignored the new MSS announcement
- Proposed Action
- None
2.50.45. [ID: 258] Unexpected invalid FIN
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Unexpected invalid FIN.
- Default Log Severity
- Warning
- Parameters
- state, flow, pkt, user, userid
- Explanation
- A packet classified (internally) as having an unreliable sequence number also had the FIN flag set. This combination is not
allowed in strict sequence number validation mode.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting
TCPSettings:TCPSeqNumValidationMode can be used as a workaround.
2.50.46. [ID: 561] Invalid TCP header length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Invalid TCP header length.
- Default Log Severity
- Warning
- Parameters
- hdrlen, flow, pkt, user, userid
- Explanation
- The TCP packet's header length field claimed that the header was shorter than the minimal 20 bytes.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. If the problem can't be fixed at the source then the
log message can be turned off by configuring the log receivers or turning the setting TCPSettings:TCPLogInvalidHeaderLen off.
2.50.47. [ID: 399] Window scale shift count exceeds 14
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Window scale shift count exceeds 14.
- Default Log Severity
- Warning
- Parameters
- value, tcpopt, flow, pkt, user, userid
- Explanation
- The packet was dropped since it contained a Window Scale option specifying an invalid (too large) shift count.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.50.48. [ID: 342] Suspicious flag set
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Suspicious flag set.
- Default Log Severity
- Notice
- Parameters
- flag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an uncommon, unusual or poorly standardized flag set.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.
2.50.49. [ID: 320] TCP segment exceeds previous FIN
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- TCP segment exceeds previous FIN.
- Default Log Severity
- Notice
- Parameters
- seqno, max, flags, state, flow, pkt, user, userid
- Explanation
- The TCP packet ended at a higher sequence number than the sequence number assigned to the FIN flag by a previous packet. Since
the FIN flag signals the end of the data stream, packets with higher sequence numbers should not occur. The parameter seqno contains the last sequence number transported in the segment and the parameter max contains the sequence number immediately before the previously received FIN.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqNumValidationMode controls how strictly the gateway validates sequence numbers.
2.50.50. [ID: 468] TCP FIN flag set without the ACK flag
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP FIN flag set without the ACK flag.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The TCP packet had the FIN flag set but the ACK flag cleared. This combination is normally invalid.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPFinNoAck controls how the gateway handles packets with this flag combination.
2.50.51. [ID: 504] Suspicious flag combination
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Suspicious flag combination.
- Default Log Severity
- Notice
- Parameters
- goodflag, badflag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an unusual, and normally invalid, flag combination set.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.
2.50.52. [ID: 218] TCP MSS exceeds log level
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS exceeds log level.
- Default Log Severity
- Notice
- Parameters
- mss, loglevel, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) larger than the configured log level.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The log level is configured in the setting TCPSettings:TCPMSSLogLevel.
2.50.53. [ID: 270] Invalid TCP checksum
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Invalid TCP checksum.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The packet's TCP checksum was invalid.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- TCP checksum verification is controlled by the setting TCPSettings:TCPChecksumVerification.
2.50.54. [ID: 147] Invalid reset sequence number in state SYN[...]
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Invalid reset sequence number in state SYN RECVD.
- Default Log Severity
- Notice
- Parameters
- seqno, min, max, flow, pkt, user, userid
- Explanation
- A reset packet was received from the originator of the connection before any SYN-ACK was received from the terminator side.
Resets under these conditions are required to have a sequence number in close proximity to the sequence number of the SYN
packet to be considered valid.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Logging of this event can be configured with the setting TCPSettings:TCPSeqNumValidationMode.
2.50.55. [ID: 209] TCP MSS too high
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too high.
- Default Log Severity
- Notice
- Parameters
- mss, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) larger than the configured limit.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnHigh controls how the gateway handles packets that announce a Maximum Segment Size (MSS) larger than the configured limit. The
limit is configured in the setting TCPSettings:TCPMSSMax.
2.50.56. [ID: 215] TCP MSS too low
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP MSS too low.
- Default Log Severity
- Notice
- Parameters
- mss, min, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The TCP packet announced a Maximum Segment Size (MSS) less than the configured limit.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPMSSOnLow controls how the gateway handles packets that announce a Maximum Segment Size (MSS) less than the configured limit. The limit
is configured in the setting TCPSettings:TCPMSSMin.
2.50.57. [ID: 592] New acknowledgment in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- New acknowledgment in ICMP message.
- Default Log Severity
- Notice
- Parameters
- ackseqno, max, state, flow, pkt, user, userid
- Explanation
- The acknowledgment in an ICMP encapsulated TCP packet was higher than any acknowledgment processed on the flow.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.58. [ID: 353] Not forwarded sequence number in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Not forwarded sequence number in ICMP message.
- Default Log Severity
- Notice
- Parameters
- seqno, len, max, flow, pkt, user, userid
- Explanation
- The sequence number in an ICMP encapsulated TCP packet was higher than any sequence number processed on the flow.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.59. [ID: 169] Non-zero header padding
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-zero header padding.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip
this information from the packet to prevent unfiltered data from being tunneled within the padding.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.
2.50.60. [ID: 484] SACK block announced data not sent
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- SACK block announced data not sent.
- Default Log Severity
- Notice
- Parameters
- sackblock, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The SACK option in the packet announced that data not yet sent by the peer already had been received.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.61. [ID: 257] TCP NULL packet
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP NULL packet.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The TCP packet had none of the flags SYN, FIN, RST or ACK set.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. Secondly, review the setting TCPSettings:TCPNULL which controls the gateway's behavior when receiving such packets.
2.50.62. [ID: 345] Non-first SACK block announced acknowledged[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-first SACK block announced acknowledged data.
- Default Log Severity
- Notice
- Parameters
- sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
- Explanation
- A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the
first SACK block is allowed to do that.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.63. [ID: 614] TCP option
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP option.
- Default Log Severity
- Notice
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- The packet contained an option of the kind indicated by the parameter tcpopt.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.
2.50.64. [ID: 366] SYN only option in non-SYN segment
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- SYN only option in non-SYN segment.
- Default Log Severity
- Notice
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior
can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.
2.50.65. [ID: 181] Oversized TCP segment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Oversized TCP segment.
- Default Log Severity
- Notice
- Parameters
- mss, datalen, hdrlen, state, flow, pkt, user, userid
- Explanation
- The packet exceeded the Maximum Segment Size (MSS) announced by the peer. If no MSS has been announced, an MSS of 536/1220
is assumed for TCP over IPv4/IPv6.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPOversizedSegment controls if the gateway should check that the MSS is obeyed and what actions it should take when the MSS is exceeded.
2.50.66. [ID: 199] Oversized TCP window
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Oversized TCP window.
- Default Log Severity
- Information
- Parameters
- windowsize, max, state, flow, pkt, user, userid
- Explanation
- The packet's announced receive window exceeded the configured limit. This event is only logged once per flow.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Window size limitation is controlled by two settings. The setting TCPSettings:TCPMaxWindow sets the actual limit and the setting TCPSettings:TCPOversizedWindow control's the action of the gateway when the limit is exceeded.
2.50.67. [ID: 461] Too high TCP sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too high TCP sequence number.
- Default Log Severity
- Notice
- Parameters
- seqno, len, min, max, windowsize, gap, flags, state, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet was above the receive window announced by the receiver of the packet. This is normally
invalid and should not occur, however, there are a few exceptions, the primary exception being if the receiver recently has
reduced it receive window.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's response to this event is controlled by the setting TCPSettings:TCPSeqNumValidationMode.
2.50.68. [ID: 207] Too low FIN sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low FIN sequence number.
- Default Log Severity
- Notice
- Parameters
- seqno, min, state, flow, pkt, user, userid
- Explanation
- The packet had the FIN flag set but a sequence number that had already been used for data. The FIN flag is logically located
at the end of the data stream and should have a previously unused sequence number.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- If this event occurs frequently and causes problems then configuring a non-strict sequence number validation mode in the setting
TCPSettings:TCPSeqNumValidationMode can be used as a workaround.
2.50.69. [ID: 420] Too low TCP sequence number
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low TCP sequence number.
- Default Log Severity
- Notice
- Parameters
- seqno, len, min, max, windowsize, gap, flags, state, loglevel, value, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet was below the receive window announced by the receiver of the packet. The reason for
why this event occurs can be as simple as timing. When a receiver of a data stream receives the next part of the stream it
will move its receive window forward. Gateways on the path between the sender and the receiver of the data stream will pick
up this information before it reaches the sender. This mean that when the sender retransmits a segment it may fall within
the receive window known to the sender but if the original segment in fact was received by the receiver then a new receive
window announcement, that does not include the segment, may be on the way from the receiver to the sender. A gateway that
picks up the new receive window announcement before the retransmitted segment will come to the conclusion that the segment's
sequence number is too low.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqTooLowLogLevel is the tool that can be used to filter out normal/expected occurrences of this event. The configured log level is shown in
the parameter loglevel and the parameter value holds the corresponding value for this packet. The gateway's response to this event is also controlled by the setting TCPSettings:TCPSeqNumValidationMode.
2.50.70. [ID: 601] Too low sequence number in ICMP message
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too low sequence number in ICMP message.
- Default Log Severity
- Notice
- Parameters
- seqno, min, max, loglevel, value, flow, pkt, user, userid
- Explanation
- The sequence number in the TCP packet encapsulated in an ICMP message was below the receive window announced by the intended
receiver of the encapsulated packet. Either the sequence number had already been acknowledged or it had never been used at
all.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPSeqNumValidationMode is the primary control of the gateway's response to this event. To filter out event caused by network conditions the setting
TCPSettings:TCPSeqTooLowLogLevel also applies. The configured log level is shown in the parameter loglevel and the parameter value holds the corresponding value for this packet.
2.50.71. [ID: 560] Truncated TCP header encapsulated in ICMP[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Truncated TCP header encapsulated in ICMP message.
- Default Log Severity
- Notice
- Parameters
- avail, hdrlen, setting, flow, pkt, user, userid
- Explanation
- Only a part of encapsulated packet's TCP header was available in the ICMP packet. The parameter avail shows how much of the encapsulated packet's IP payload that was available and the hdrlen holds the length of the TCP header.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPTruncHeaderInICMP controls how the gateway handles ICMP packets with a truncated TCP header in the encapsulated packet.
2.50.72. [ID: 498] Too high TCP acknowledgment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Too high TCP acknowledgment.
- Default Log Severity
- Notice
- Parameters
- ackseqno, max, gap, state, flow, pkt, user, userid
- Explanation
- The TCP acknowledgment in the packet announced that data not yet sent by the peer already had been received.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.73. [ID: 479] Unacceptable initial TCP acknowledgment
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Unacceptable initial TCP acknowledgment.
- Default Log Severity
- Notice
- Parameters
- ackseqno, min, max, state, flow, pkt, user, userid
- Explanation
- The first TCP acknowledgment received on the flow did not match the sequence numbers of the packets sent in the other direction.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The gateway's response to this event is configured through the setting TCPSettings:TCPSeqNumValidationMode.
2.50.74. [ID: 541] Unused non-zero ACK
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero ACK.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating
systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established
connections.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.
2.50.75. [ID: 337] Unused non-zero urgent pointer
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero urgent pointer.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.
2.50.76. [ID: 335] Multiple TCP options of the same kind
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Multiple TCP options of the same kind.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, pkt, user, userid
- Explanation
- The packet contained more than one TCP option of a type that should not occur more than once in a packet.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.50.77. [ID: 250] No new flow for this packet
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- No new flow for this packet.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- No flow matched the TCP packet and the packet was not a plain-SYN so it was not allowed to setup a new flow.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.50.78. [ID: 252] TCP option not negotiated
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- TCP option not negotiated.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, pkt, user, userid
- Explanation
- Some TCP options must be negotiated during the handshake before they can be used. The dropped packet contained such an option,
as indicated by the parameter tcpopt, but that option had not been negotiated on the flow.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this event is triggered frequently then the gateway can be configured to silently strip the type of option that is causing
the problem as a workaround while the problem is investigated and resolved. Stripping options is controlled the TCPOPT_* settings.
2.50.79. [ID: 381] SACK option without the ACK flag set
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- SACK option without the ACK flag set.
- Default Log Severity
- Warning
- Parameters
- tcpopt, flow, pkt, user, userid
- Explanation
- The packet contained a SACK option without having the ACK flag set.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- None
2.50.80. [ID: 1011] New TCP flow denied
- Log Categories
- TCP,STATELESS,FLOW
- Log Message
- New TCP flow denied.
- Default Log Severity
- Notice
- Parameters
- pkt
- Explanation
- The configured stateless IP rule does only allow existing TCP streams to setup new flows.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- To allow new TCP streams, the IP rule's StatelessAllowNewTCP setting must be changed.
2.50.81. [ID: 208] Disallowed flag set
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed flag set.
- Default Log Severity
- Notice
- Parameters
- flag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an uncommon, unusual or poorly standardized flag set.
- Gateway Action
- Strip
- Action Description
- The flag indicated by the parameter flag was stripped from the packet
- Proposed Action
- Investigate the source of this strange packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPUrg, TCPSettings:TCPECN or TCPSettings:TCPRF, depending on the flag in question. The parameter setting shows which of the settings that was applied to the packet.
2.50.82. [ID: 491] Bad TCP option length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Bad TCP option length.
- Default Log Severity
- Notice
- Parameters
- tcpopt, len, expectlen, setting, flow, pkt, user, userid
- Explanation
- While parsing the TCP header an option with an invalid length, for that specific option type, was found.
- Gateway Action
- Strip
- Action Description
- The broken option and any other options following the broken option were removed from the packet
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.83. [ID: 322] Disallowed flag combination
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed flag combination.
- Default Log Severity
- Notice
- Parameters
- goodflag, badflag, setting, flow, pkt, user, userid
- Explanation
- The TCP packet had an unusual, and normally invalid, flag combination set.
- Gateway Action
- Strip
- Action Description
- The flag indicated by badflag was stripped from the packet
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway can be configured
to either silently take action on such packets or just ignore them all together by modifying one of the settings TCPSettings:TCPSynUrg, TCPSettings:TCPSynPsh, TCPSettings:TCPSynRst, TCPSettings:TCPSynFin, TCPSettings:TCPRstFin or TCPSettings:TCPFinUrg, depending on which flag combination the packet had. The parameter setting shows which of the settings that was applied to the packet.
2.50.84. [ID: 329] Invalid TCP option length
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Invalid TCP option length.
- Default Log Severity
- Notice
- Parameters
- tcpopt, len, setting, flow, pkt, user, userid
- Explanation
- A TCP option with explicit length had an invalid length. No option with explicit length can be shorter than two bytes (one
byte to indicate the kind of option and one byte to indicate the length).
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.85. [ID: 241] Non-zero header padding
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-zero header padding.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The padding between the option field and the end of the header was found to be non-zero. It is recommended to at least strip
this information from the packet to prevent unfiltered data from being tunneled within the padding.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- The setting TCPSettings:TCPNonZeroHeaderPadding controls the gateway's behavior when non-zero header padding is found.
2.50.86. [ID: 352] SACK block announced data not sent
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- SACK block announced data not sent.
- Default Log Severity
- Notice
- Parameters
- sackblock, max, tcpopt, setting, flow, pkt, user, userid
- Explanation
- The SACK option in the packet announced that data not yet sent by the peer already had been received.
- Gateway Action
- Strip
- Action Description
- The whole SACK option is removed from the packet
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.87. [ID: 581] Non-first SACK block announced acknowledged[...]
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Non-first SACK block announced acknowledged data.
- Default Log Severity
- Notice
- Parameters
- sackblock, ackseqno, tcpopt, setting, flow, pkt, user, userid
- Explanation
- A non-first SACK block acknowledged data already acknowledged by the standard acknowledgment field in the header. Only the
first SACK block is allowed to do that.
- Gateway Action
- Strip
- Action Description
- The whole SACK option is removed from the packet
- Proposed Action
- The gateway's reaction to this event is controlled by the setting TCPSettings:TCPInconsistentSACK.
2.50.88. [ID: 253] Disallowed TCP option
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Disallowed TCP option.
- Default Log Severity
- Notice
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- The packet contained an option of the kind indicated by the parameter tcpopt.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- The gateway's action when it finds an option of this type is controlled by the setting indicated by the parameter setting.
2.50.89. [ID: 391] SYN only option in non-SYN segment
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- SYN only option in non-SYN segment.
- Default Log Severity
- Notice
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- A TCP option that only should occur in packets with the SYN flag set was found in a packet with the SYN flag cleared.
- Gateway Action
- Strip
- Action Description
- None
- Proposed Action
- Investigate the source of the packet and try to fix the problem there. If that is not possible then the gateway's behavior
can be adjusted through the setting TCPSettings:TCPSynOptInNonSyn.
2.50.90. [ID: 194] TCP option length missing
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP option length missing.
- Default Log Severity
- Notice
- Parameters
- tcpopt, setting, flow, pkt, user, userid
- Explanation
- A TCP option with explicit length was found at a position in the header such that the length information fell outside of the
header.
- Gateway Action
- Strip
- Action Description
- The broken option was removed from the packet
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.91. [ID: 351] TCP option does not fit in the header
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- TCP option does not fit in the header.
- Default Log Severity
- Notice
- Parameters
- tcpopt, len, avail, setting, flow, pkt, user, userid
- Explanation
- A TCP option with a length that exceeded the remaining part of the header was found in the packet.
- Gateway Action
- Strip
- Action Description
- The broken option was removed from the packet.
- Proposed Action
- Investigate the source of this erroneous packet. If the problem can't be fixed at the source then the gateway's response to
this event can be changed through the setting TCPSettings:TCPBadOptionLengths.
2.50.92. [ID: 429] Unused non-zero ACK
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero ACK.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The acknowledgment field in the packet was set even though the ACK flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the acknowledgment field. Also, some operating
systems reveal sequence number information this way, which can make it easier for intruders wanting to hijack established
connections.
- Gateway Action
- Strip
- Action Description
- The acknowledgment field was set to zero
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroAckField controls the gateway's behavior when an unused non-zero acknowledgment field is found.
2.50.93. [ID: 245] Unused non-zero urgent pointer
- Log Categories
- TCP,STATELESS,VALIDATE
- Log Message
- Unused non-zero urgent pointer.
- Default Log Severity
- Notice
- Parameters
- setting, flow, pkt, user, userid
- Explanation
- The urgent pointer field in the packet was set even though the URG flag was cleared. It is recommended to at least strip this
information from the packet to prevent unfiltered data from being tunneled within the urgent pointer field.
- Gateway Action
- Strip
- Action Description
- The urgent pointer field was set to zero
- Proposed Action
- The setting TCPSettings:TCPUnusedNonZeroUrgField controls the gateway's behavior when an unused non-zero urgent pointer field is found.
2.50.94. [ID: 188] Unexpected TCP flags
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Unexpected TCP flags.
- Default Log Severity
- Warning
- Parameters
- flags, state, flow, pkt, user, userid
- Explanation
- The TCP packet had a TCP flag set that is not expected to be set in the current state of the TCP connection.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- This log message can be turned off by the setting TCPSettings:TCPLogStateViolations.
2.50.95. [ID: 433] Unexpected SYN packet
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- Unexpected SYN packet.
- Default Log Severity
- Warning
- Parameters
- seqno, origseqno, flags, offset, state, flow, pkt, user, userid
- Explanation
- The TCP packet's combination of sequence number and SYN flag or the mere existence of the SYN flag was unexpected in the current
state of the TCP connection. There are several reasons why this event can occur. The first is that a handshake packet has
be retransmitted even though it was not necessary to establish the connection and then been delayed more than most other packets
on the connection. In this case the parameters seqno and origseqno should match. If the ACK flag is not set, according to the flags parameter, then it could be an attempt to setup a new connection before the flow state belonging to a previous connection
has timed out. Such an attempt is only valid if either the old connection has been torn down or if it never was properly established.
The parameter state should give an indication of the state of the old connection. SYN_RECVD, FIN_RCVD and TIME_WAIT are valid connection states
for reopening the flow state. The packet could also be an indication of a broken device or be a part of some network scan
or some other malicious activity.
- Gateway Action
- Drop
- Action Description
- None
- Proposed Action
- If this appears to be an attempt to setup a new connection while the flow state of a previous connection still exists then
consider changing the setting TCPSettings:TCPAllowReopen to allow the flow state to be reopened/reused. The parameter offset is intended as an aid in deciding whether to allow any sequence number to reopen the flow state or just those that are higher
than the sequence numbers used on the old connection. If the offset is greater than zero then it should be sufficient to only
allow higher sequence numbers otherwise any sequence number must be allowed, to have the intended effect. If allowing flow
states to be reopened is not an option then an alternative solution is to reduce the idle lifetime for TCP flow states during
setup and/or tear-down to make it less likely that the same connection will be reused before the flow state has timed out.
However, reducing the idle lifetimes too much can cause other problems, for instance, with connection establishment. This
log message can be turned off by the setting TCPSettings:TCPLogStateViolations.
2.50.96. [ID: 510] TCP state tracking requires stricter[...]
- Log Categories
- TCP,STATEFUL
- Log Message
- TCP state tracking requires stricter validation.
- Default Log Severity
- Error
- Parameters
- setting, min
- Explanation
- The implementation of the TCP state tracking assumes that certain strange packets are handled during validation. The current
configuration breaks that assumption and is therefore not supported.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- Change the configuration to comply and report this error to the vendor's support organization. If you need to use the current
settings then TCP state tracking must be disabled and the traffic forwarded using only some lighter validation.
2.50.97. [ID: 293] TCP window shrinking
- Log Categories
- TCP,STATEFUL,VALIDATE
- Log Message
- TCP window shrinking.
- Default Log Severity
- Information
- Parameters
- old, new, gap, flags, ackseqno, state, flow, pkt, user, userid
- Explanation
- A new receive window was announced on the flow. However, the previous receive window announcement accepted higher sequence
numbers than the new one. This means that the sender of this segment has revoked previous claims that it is willing to accept
a certain range of sequence numbers. This is discouraged behavior and could be causing packet drops due to too high sequence
number. The parameter gap contains the size of the sequence number range which is no longer announced as part of the receive window.
- Gateway Action
- None
- Action Description
- None
- Proposed Action
- None
cOS Stream 4.00.03 Log Reference Guide
