Forward Invalid, horrible problem lots of packets

shrek · December 28, 2013, 12:16am

Hi, I have horribleproblem with forward invalid packets, and I cant cope with it.

Clients are nervous and I understand them.

Cut of the log ( chain drop, state invalid, action log )

Dec/27/2013 23:56:41 firewall,info INVALID forward: in:Public out:<pppoe-xxxxx>, src-mac 00:0c:29:e8:a6:af, proto TCP (SYN,ACK), 64.40.7.110:10677->15x.13x.xx.103:7936, len 44
Dec/27/2013 23:56:41 firewall,info INVALID forward: in:bridge1 out:Public, src-mac 00:0e:8e:3b:b6:98, proto TCP (RST), 15x.13x.xx.103:7936->64.40.7.110:10677, len 40
Dec/27/2013 23:56:42 firewall,info INVALID forward: in:Public out:bridge1, src-mac 00:0c:29:e8:a6:af, proto TCP (SYN,ACK), 46.105.111.169:80->15x.13x.xx.116:26708, len 44
Dec/27/2013 23:56:45 firewall,info INVALID forward: in:bridge1 out:Public, src-mac 00:0e:8e:3b:b6:98, proto ICMP (type 3, code 1), 15x.13x.xx.253->46.105.111.169, len 72
Dec/27/2013 23:56:52 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:56:52 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:56:53 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:56:54 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:56:57 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:57:01 firewall,info INVALID forward: in:<pppoe-zzzzzz> out:Public, proto TCP (ACK,RST), 192.168.10.31:52258->108.160.162.53:443, len 40
Dec/27/2013 23:57:01 firewall,info INVALID forward: in:<pppoe-yyyyy> out:Public, proto TCP (ACK,FIN), 192.168.10.52:57814->217.110.97.198:80, len 40
Dec/27/2013 23:57:03 firewall,info INVALID forward: in:<pppoe-aaaaa> out:Public, proto TCP (RST), 192.168.10.65:45337->31.13.81.97:443, len 40

and there is thousands of it, and I heave no idea what can it be.

Clients are connected to juniper ex3300, and to juniper is connected dell esxi hypervisor with two guests. GBP router and it seems to be alright, and nat/pppoe server

ESXi 5.1 update 1
vmnics are all e1000, ROS cant even see vmxnet3 ( or 2 )

4 vCPU, 2Gig of ram for each vm.

In some time i’ll move to proxmox with host but first I have to solve the problem.

Had anybody such problem or know how to cope with it?

bysard · December 30, 2013, 6:42am

What is your bridge config? Is NAT configured?

shrek · January 2, 2014, 3:36pm

Hi, thanks for reply, sorry for delay, new year ect

on the br is only ethernet port ( because only on br firewall I could drop unknown DHCP asks from a few MAC Addr. )

interface bridge pr
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 l2mtu=65535 arp=enabled mac-address=00:0C:29:23:7C:BD protocol-mode=none priority=0x8000 auto-mac=no admin-mac=00:0C:29:23:7C:BD max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

interface bridge port  pr
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                                                                                    BRIDGE                                                                                                    PRIORITY  PATH-COST    HORIZON
 0    Local                                                                                                        bridge1                                                                                                       0x80         10       none
 1 X  eoip-tunnel1

interface bridge port  pr
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                                                                                                    BRIDGE                                                                                                    PRIORITY  PATH-COST    HORIZON
 0    Local                                                                                                        bridge1                                                                                                       0x80         10       none
 1 X  eoip-tunnel1

/interface pppoe-server server pr
Flags: X - disabled 
 0   service-name="PPPoE Service" interface=bridge1 max-mtu=1480 max-mru=1480 mrru=disabled authentication=pap,chap keepalive-timeout=30 one-session-per-host=yes max-sessions=0 default-profile=default

39 active connections + 5 DHCP

problem seems to be with NATed and unNATed clients