[ZBX-18110] suricata alert invalid ack Created: 2020 Jul 17  Updated: 2025 May 19  Resolved: 2025 May 19

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 4.0.22
Fix Version/s: None

Type: Incident report Priority: Trivial
Reporter: olivier E Assignee: Zabbix Support Team
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Dear zabbix support,

first of all thank you for your great tool !

I have an issue with the encrypted communication between zabbix server and zabbix agent in passive mode. I am getting lots of alert from our Intrusion Detection Tool Suricata about zabbix communication : SURICATA STREAM FIN2 invalid ack.

Is that a knonw issue in Zabbix ? Is there a workaround ?

I am using zabbix 4.2.6.

See the alert from Suricata.

{"timestamp":"2020-07-17T03:16:08.849805+0200","flow_id":1970573864203604,"event_type":"alert","src_ip":"10.20.100.12","src_port":35758,"dest_ip":"10.20.100.68","dest_port":10050,"proto":"TCP","metadata":{"flowints":{"tcp.retransmission.count":17}},"alert":

{"action":"allowed","gid":1,"signature_id":2210036,"rev":2,"signature":"SURICATA STREAM FIN2 invalid ack","category":"Generic Protocol Command Decode","severity":3}

,"tls":{"subject":"CN=zabbix-agent\/O=PF_PPROD\/C=FR","issuerdn":"CN=PF_PPROD\/O=PPROD\/C=FR","serial":"24:6F:4E:AF:1A:D3:81:F9","fingerprint":"9d:76:30:f6:81:72:d4:1d:01:2d:40:79:5a:1b:0a:29:1a:ec:1d:13","version":"TLS 1.2","notbefore":"2020-04-20T20:03:14","notafter":"2022-04-20T20:03:14","ja3":{}},"app_proto":"tls","flow":{"pkts_toserver":36,"pkts_toclient":28,"bytes_toserver":18864,"bytes_toclient":17146,"start":"2020-07-17T03:13:17.652628+0200"}}

thank you,
best regards

 Comments   
Comment by Andrei Gushchin (Inactive) [ 2020 Jul 22 ]

Thank you for reporting and feedback.

What issue here could you describe a bit more the problem?

Comment by Gilles [ 2020 Oct 20 ]

Hi Andrei,

Context :

  • Suricata (Intrusion Detection Tool) is installed on VMs running zabbix agent.
  • Zabbix agents are connected with server in passive mode via TLS

Suricata tool reports a lot of alerts about the traffic between the agent and the server because there are "FIN2 invalid ack" streams.

Do you see any cause for theses invalid acknowledges in FIN-WAIT2 tcp state ?

Comment by Bartosz Nems [ 2025 Apr 22 ]

Hi,

I see that Your ticket was created in 2020, please let Us know if You still require our help. 
If You don't respond in this ticket in the next two weeks we will close it.
Kind regards, 
Bartosz

 

Comment by Jan Prusinowski (Inactive) [ 2025 May 19 ]

Closing due to inactivity.

Generated at Mon Oct 27 22:15:07 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.