6.5.4.11 - Some Packets dropped for allowed Traffic
NSa 2650 - SonicOS 6.5.4.11
Hi,
I'am currently facing the issue, that some (usually 1 Message) of the syslog traffic I'am receiving from WAN is dropped with:
DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 2:2)
The odd thing is, that the Source IP of the sending Syslog Server is explicitly allowed in the Access Rule and it seems to happen when 3-5 Syslog Messages arriving in the same second. Only one Syslog Message out of this Bundle gets dropped, the other ones are going through.
This makes no sense to me, no further messages in the Event Log.
Did anyone experienced something similar and came up with a solution for it?
It's not that funny to lose Syslog Messages, Monitoring is there for a reason 😪
--Michael@BWC
Answers
I don't know what drop code UDP flood protection uses, but that might be worth checking.
@Arkwright there will be a Log entry for Flood Protection, but it wasn't reported. Hopefully the 5 Messages per Second (probably around 10 Packets) will not hit the 20K limit which is configured at the moment :)
I believe UDP Flood Protection has a seperate Drop Code, #171 or something.
--Michael@BWC