Stateful Packet Inspection: Table is full.

I'm getting this error occasionally on certain webpages that have many links to other pages. Is this the correct registry key to adjust the SPI value?

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw]
"MaxGenericSPIEntries"=dword:00000100

If so, what are some safe values? I've tried adjusting this from the current value of 256 (Decimal) to 512 and 1024, but the log errors persist. Should I go higher? Are there any downsides to setting this value to a larger one? TIA!

 

Hi 0strodamus,

here is a post about that:

https://www.wilderssecurity.com/showthread.php?t=175134

 

Thanks ktango! I'm not sure why I didn't find that thread when I searched before posting. I'm still getting the errors with the setting recommended in that post and am waiting on LnS support reply on how high you can safely take that value to. Thanks again!

 

Maybe it's an attack.

Filling the SPI table is a way to breach the firewall and gain entry into a system.

 

Hi 0strodamus,

Simultaneous connections, customisable to 1024 maximum. Not sure, but I think anything above will be reverted back to 1024.

An image attached showing details about the packet loggings would be much appreciated.

 

Hi Phant0m!
I tried 512, 1024, and 2048, but none of the changed values made a difference so I put the setting back to 256. I noticed this on a couple sites that I found on reddit and aren't sites I normally visit so I'm not too concerned about finding a fix for this - just curiosity at this point. One of the sites that I was able to find again links to a ton of thumbnails pulled from imagevenue.com. I've attached a log screengrab.

 

What type of Internet connection you using? Must be something fast?

 

Not necessarily. I noticed the same thing when I close my browser with eg. 10-20 open tabs (and the browser support "remember last session" option & this option is enabled) and then I open it again. So as you can imagine there are plenty number of connections in short period of time and it is present in Log tab in LnS as "SPI: Table is full"

 

Assuming he’s opening the browser which is loading up several pages, .. but I find that difficult to see, not without help from p2p or other applications on his computer creating lot of connections.

MaxGenericSPIEntries isn’t even the right tweak he wants to use, he has to use MaxSPIEntries, and the ‘TCP Connection states’ window will have a new maximum number of connections (assuming he re-boots after applying the tweak).

 

Not with Look 'n' Stop, the SPF table gets full, it blocks until there are free table entries available.

 

My ISP advertises my package as 15Mbps, but I doubt I ever see speeds that high.

I'll give that a try. I completely missed that they were different tweaks. Thanks Phant0m!

EDIT: Phant0m, you are the man! Setting MaxSPIEntries to 512 resolved all of the log entries. Thanks for pointing this out to me. I'll have to read more carefully from now on.
Thanks again!

 

Awesome.

 

Hi,

I have been checking some issues I have been seeing, one of the issues is with the "SPI:Table full".

There appears to be some delay before connections that are finished /"time_wait" are being removed from L`n`S state table, it appears there is a priority to enter connection details than to remove them, which can lead to a full table without the actual current connections being more than the state_table entry level.
A simple example is a connection to "gog.com"-> "Games Catalogue", which does have many connections but only 8 current. With L`n`S set at 256 SPI connections, entries are made for "SPI:Table full"

I did run some tests with a "Torrent client" (I downloaded a 3GB film from "Vodo.net"). I kept close watch on the reported connections from the torrent client and verified that info with both "cports" and "TCPview"(I also watched for SYN_Sent"... No inbound connections where allowed). The current connections never went over 200 (stayed around approx 190). L`n`S was reporting 238 connections. Entries where being made in L`n`S for "SPI:Table full" during the download period. Once the download had completed, I closed the torrent client, checked "Cports" and "TCPview" which showed no current connections or time_wait. L`n`S showed 36 current connections and took over 30mins for the connections to be removed from the connections list.

I know I can increase the state_table size (which I have already done), but that is only a workaround to an underlying problem.


- Stem

 

Hi Stem,

I’m trying to reproduce your experiences, the number of simultaneous connections is back to 128.

Doing the simple example that you had giving, over and over and over again, I’m not able to come close to filling the table, and the Look ‘n’ Stop connections in the SPI table and what is showing elsewhere is identical and no current connection entries in the SPI table stays long.

And the torrent use on a 550MB file revealing no problems, even after several minutes had passed.


You using the latest release? What is shown for driver versions in Look 'n' Stop - Console?

 

May I enquire which version of Windows and which, if any, rule set? Do they matter?

What threat do your findings pose to the user of LnS?

Your post reads like a negative!

 

The SPI table fills, anything making new TCP connections are blocked until room in the TCP SPI table starts clearing, just very annoying experience.

 

Hi Phant0m,

Yes, latest version downloaded direct from L`n`S website yesterday (I wanted to check with a new install).

I tried again connecting to Gog.com, made a refresh of the "games catalogue" page and log filled again.(I reset back to 256 SPI connections)



I will see if I can find a conflict anywhere on my setup (win XP pro)


- Stem

 

It is my own ruleset (win XP pro), but it does not/should not matter.

None.

It is just a problem that can be worked around easily (increase SPI table to 1024). I am just trying to find what the problem is.

- Stem

 

If you are only seeing 8 / 256, no way should you be getting those Table is full messages...

What browser are you using?

 

Firefox 4.

I have found the problem with connecting to Gog.com. It is due to my connections going through local_proxy. (Proxomitron) for HTTP. Not sure as to why it is causing the issue(removing proxy and no more table full). Even with local_host connections, it should not be filling L`n`S SPI table. Maybe a conflict?


- Stem

 

Sounds possibly like Proxomitron is messing up, I’ve used similar product (Privoxy) and not had any anomalies like you experiencing.

 

Thanks for the prompt reply.

I am a semi-advanced user; my rules are heaps better than the advanced set. I don't Phantom.

Problem is that out of the blue there is a apparently 'threatening' post to users (like me). The subsequent posts are almost as threatening to users (like me). LnS is 'not so good'.

To be honest, reading threads, like this one, leaves me with the impression that any, third-party security application is inadequate.

This is the 'official' LnS support site. Recent posts imply that support is non-existent and LnS may not be as good as we are led to believe.

 

Problems can happen. For me with this, it was due to a filter in Proxomitron that was closing down port use. I have removed the filter and now back to normal. (I forget most of the time I even have Proxomitron running as HTTP filter, thats why I did not think of it before. I blame it on old age)

Well L`n`S is more than adequate as a packet filter, which it is intended for. There is of course other considerations, such as adding an HIPS and/or AV to create a layered defense.

Support would only be non-existent if no one got any support. I know Frederic has been absent for a while, but if you have a problem, you can always post to this forum and you should get an helpful reply from one of the members here.


- Stem

 

Again, thanks. I use LnS because it is a firewall and I like it. If I needed a HIPS, I would look elsewhere (HIPS and firewall are not the same).

You just scared me.

 

Hi newline,

The "SPI:Table full" is not a security problem. By default, when the "SPI" is enabled, there is a maximum of 256 current connections allowed. That in most cases is more than adequate. If more is needed, then you can add/change a registry entry which will increase the state table (current connections) up to 1024.

Nothing to be scared about.


- Stem