Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Logs with Blank Action

I was studying logs for a VOIP connection and i came across a few logs where Action is Blank in the log table ..also noticed the direction arrow on the interface is reversed and rule no is also missing for these.

 

attaching a screenshot below..would like to understand what are these for and do they suggest an issue ? 

 

 
 
 

scshot.png

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

When you open up the log card on those logs, what does it say?

0 Kudos
LostBoY
Advisor

there is no message like allowed or denied..it just states source ,destination and traffic from src to dst over 5061..

i was wondering if it somehow signifies return traffic looking at the direction on the bond interface..for all these absent action entries the direction is reversed on the bond interface

0 Kudos
PhoneBoy
Admin
Admin

I'm assuming this is related to an existing SIP session and you're logging individual connections versus consolidating into sessions.
In which case the "Accept" rule is implied since it's being permitted via the state table and not an explicit rule.

0 Kudos
K_D
Explorer

Hey PB, I have recently noticed these types of log entries as well and was also curious why I don't understand.  I *thought* I understood that a packet arriving at the gateway for an established connection already in the state table was not logged.  But if the packet is a SYN request for a new connection it would be logged?  And if there were already an entry in the state table for this connection that would indicate improver tear down on the prior connection?  Is something strange going on here like a packet without a proper sequence number?  But wouldn't that be dropped?  A SYN packet that somehow randomly matches the sequence number of another connection in the state table?  

I attached what I think you were asking for RE "Log Card" on an example. 

Also I have to admit I'm not sure I have any experience with "logging individual connections versus consolidating into sessions", can you provide me a SK number or something?

 

Thanks for all of your good work -- 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Can you please expose the timestamps in your first screenshot showing multiple logs?  It looks like the two "blank" connections are associated with the "Accept" that follows but matching on different service objects.  Almost like it has something to do with "Match for Any" or even Smart Connection reuse.  Also on the rule that is creating the log entry with the "Accept", please right click and click More in that rule's Track column to expose the hidden Log Generation options that are set.  Looks like you only have "per Connection" set but I want to make sure.  I'll be talking about these hidden Log Generation options in my upcoming speech at CPX.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
K_D
Explorer

Yes you are correct that "per Connection" is set.  And to clarify I did not post the original question I was adding to the thread because I had the same issue as the original poster.  I added the Log Card after Phone Boy indicated it would be helpful. 

0 Kudos
the_rock
Legend
Legend

I seen these types of logs many times even with TAC on the phone when troubleshooting, but would be nice to know what they actually mean. I cant really follow any logic as far as times/occasion when they show up. Seen them for https inspection, voip, vpn...

0 Kudos
dunkelmorten
Participant

Was there any news or explanation to this? Also having same in my logs without any matching Rule nor any accept log entries before these "connection" log entries. Wondering where these are coming from and how they can occur without having SYN packets received at all (no SYN packets for session establishing in last 7 days at all). Noticing this for tcp/631 ports instead of SIP.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events