Community discussions

MikroTik App
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

What exactly causes "Invalid Connection" State?

Tue Apr 27, 2010 8:27 pm

I created a firewall rule on the forward chain to drop all packets marked invalid with a destination address of my email server. When I enable this some computers are very slow to load the mail servers web page and looking at the mikrotik log I'll see dozens of invalid connection warnings from the computers mac address to the mail server port 443. On other computers there is no log and the page loads very fast. What could be causing this?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: What exactly causes "Invalid Connection" State?

Wed Apr 28, 2010 9:30 am

Invalid packet is packet that does not belong to any already established connection (no entry in connection tracking) and is not syn packet that establishes new connection.
 
jmay
Member
Member
Topic Author
Posts: 336
Joined: Tue Jun 23, 2009 8:26 pm

Re: What exactly causes "Invalid Connection" State?

Wed Apr 28, 2010 8:14 pm

Any idea what this is trying to tell me? The errors I log look something like these:

When browsing our webmail site:
invalid connections forward:in:ether2 out:ether2, src-mac 00:00:00:00:00:00, proto TCP (ACK, PSH). x.x.x.x:52317->x.x.x.x:443 len 20

When checking via outlook:
invalid connections forward:in:ether2 out:ether2, src-mac 00:00:00:00:00:00, proto TCP (ACK, PSH). x.x.x.x:51699->x.x.x.x:143 len 20


There will usually be 30 or so per attempt and the "len" varies each time and the port on the first IP address can vary also.
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: What exactly causes "Invalid Connection" State?

Thu May 12, 2011 12:12 am

After looking at the date this was posted, this is old news... but the way I understand that is the port of the "first ip" will change because that is the end-users computer that is connecting to your mail server, it will use whatever port it knows is not in use to open the connection from its side, the port will not change on the destination device... looks like u are using secure login (443) and imap (143). I take it that you editted the src-mac address to read all 0's, otherwise these are fake mac-addresses, which is prolly why they are getting tagged as invalid. If they were real mac's then maybe a firmware issue was causing your slow responses... could also be a number of issues, with the computers in question.
Invalid packet is packet that does not belong to any already established connection (no entry in connection tracking) and is not syn packet that establishes new connection.
What I get from this is a packet that has no place being sent to your server in any form or fashion, I could be wrong, but I see dropping invalid connection-state packets something that could always be implemented without ill-effects... Can I get a response on this thought please...
 
infused
Member
Member
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Re: What exactly causes "Invalid Connection" State?

Wed Feb 27, 2013 11:26 pm

Bumping this as I have a similar issue. I enabled this and my gre tunnel to a cisco device dropped. Any ideas?

Who is online

Users browsing this forum: dj23, ekinsl and 77 guests