RV260P: Need help deciphering a firewall log entry

ReedMikel · ‎12-30-2020

I have a Port Forwarding rule set to forward port 5721 (TCP) to a LAN server (10.10.0.6). It's working (and has been) for a long time. But in looking at the logs today I stumbled across the entry below. I'm trying to figure out why this packet is being dropped? While I recognize all the basic pieces of info below (e.g. DST_MAC, SRC_MAC, SRC, DST etc), there are some acronyms that I am clueless about (e.g. TOS, PREC). Does Cisco provide any docs on understanding their logs?

I assume "eth0" = WAN? "eth2.1" - maybe ethernet port 2?

kernel: [3355945.955220] FIREWALL:PACKET DROPIN=eth0 OUT=eth2.1

DST_MAC=68:9c:e2:a0:e2:38 SRC_MAC=:00:17:10:8e:09:1e

src=72.76.243.160 DST=10.10.0.6 LEN=52 TOS=0x00

PREC=0x00 TTL=116 ID=4653 DF PROTO=TCP SPT=63380 DPT=5721

WINDOW=251 RES=0x00 ACK PSH URGP=0 MARK=0xff00

MichaelNeumann6393 · ‎01-26-2021

We also had this occur here. Logs show a block of 5 lines (see below) occurring twice once on a Monday and the following Tuesday during our normal business hours. I am investigating this as a TPC SYN Flood attack that was unacknowledged (blocked) and after the second attack I have a boat load of errors from BCAP (see below the below). I am going to get in touch with support on this.

2021-01-19T05:23:23-08:00 <warning>kernel: [6463664.486096] FIREWALL SYN-FLOOD:IN=eth2 OUT= DST_MAC=28:ac:9e:0d:f6:88 SRC_MAC=:10:93:97:0d:39:f0 src=8.252.197.126 DST=192.168.2.90 LEN=1500 TOS=0x00 PREC=0x00 TTL=58 ID=29549 PROTO=TCP SPT=80 DPT=50573 WINDOW=501 RES=0x00 ACK URGP=0 MARK=0xff00

BCAP server error (704): Invalid major or minor version

If @1st you don't succeed, then try something else and remember the best design is the simplest one that works.