IPSec traffic is irregularly classified as invalid

Hi everyone,

Currently I have a problem / or bug? with GRE / IPSec tunnels, in one location (OfficeB) the IPSec packets (D-port 4500) are temporarily blocked by the INVALID policy of the VyOS firewall.
After a reset of Conntrack or a restart of the router, it usually works again. Has anyone possibly an idea what is the trigger of the problem?

OfficeB builds two IPSec tunnels to different locations for redundancy, and all corporate networks can be reached via both locations (routing via OSPF)
Most of the time, the redundant configuration helps ensure that the site is not completely isolated, but sometimes tunnels are blocked by the VyOS firewall / Invalid State Policy.
The IP, which is blocked by an invalid rule, no longer appears in the conntrack database

I suspect no rough configuration error, because the connection works in principle. The failures then happen between 5 minutes and an hour or more. Some days there are no problems at all.

Office A has no Problems, which has the same VyOS-Configuration.

Firewalling-Method: ZBF

Software Versions:

AZ: VyOS 1.2.0
BranchB: VyOS 1.2
BranchA: VyOS 1.2.1
HQ: VyOS 1.2

vyos@GW-BranchB:~$ sudo journalctl -f | grep -i invalid
Oct 13 16:00:02 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=202.55.3.5 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:06 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=180 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=160
Oct 13 16:00:10 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:12 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=202.55.3.5 DST=192.168.2.200 LEN=164 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=144
Oct 13 16:00:16 GW-BranchB kernel: [FW-STATE_POL-INVALID-D]IN=eth0 OUT= MAC=00:50:56:ae:f4:a7:44:fe:3b:6e:e9:84:08:00 SRC=168.23.1.88 DST=192.168.2.200 LEN=180 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=4500 DPT=4500 LEN=160


vyos@GW-BranchB# sh firewall name anyexternal-local
 default-action drop
 rule 100 {
     action accept
     description "Enable ICMP on WAN-Zone"
     icmp {
         type 8
     }
     log enable
     protocol icmp
 }
 rule 110 {
     action drop
     destination {
         port 22
     }
     log enable
     protocol tcp
     recent {
         count 2
         time 30
     }
 }
 rule 120 {
     action accept
     destination {
         port 22
     }
     log enable
     protocol tcp
 }
 rule 130 {
     action accept
	 description "Allow loopback IP-Range"
     log enable
     source {
         address 172.20.1.0/24
     }
 }
 rule 200 {
     action accept
     description "Allow UDP 500 and 4500 for IPSec and NAT-T"
     destination {
         port 500,4500
     }
     log enable
     protocol udp
     source {
         group {
             address-group agr_trusted-s2s-sourceips
         }
     }
 }
[edit]



vyos@GW-BranchB# sh nat
 source {
     rule 10 {
         outbound-interface eth0
         source {
             address 172.26.20.0/24
         }
         translation {
             address masquerade
         }
     }
 }
[edit]


vyos@GW-BranchB# run show vpn ipse sa
Connection                            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID               Proposal
------------------------------------  -------  --------  --------------  ----------------  ----------------  ----------------------  -----------------------------
peer-hq.example.com-tunnel-0  up       1h21m6s   0B/12K          0/141             202.55.3.5        hq.example.com    AES_CBC_256/HMAC_SHA2_256_128
peer-az.example.com-tunnel-4  up       1h21m35s  0B/13K          0/160             168.23.1.88       az.example.com    AES_CBC_256/HMAC_SHA2_256_128


vyos@GW-branchB# sh vpn
 ipsec {
     esp-group esp_az-example-com {
         compression disable
         lifetime 3600
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     esp-group esp_hq-example-com {
         compression disable
         lifetime 3600
         mode tunnel
         pfs disable
         proposal 1 {
             encryption aes256
             hash sha256
         }
     }
     ike-group ike_az-example-com {
         dead-peer-detection {
             action restart
             interval 15
             timeout 60
         }
         ikev2-reauth no
         key-exchange ikev1
         lifetime 7800
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha256
         }
     }
     ike-group ike_hq-example-com {
         dead-peer-detection {
             action restart
             interval 15
             timeout 60
         }
         ikev2-reauth no
         key-exchange ikev2
         lifetime 7800
         proposal 1 {
             dh-group 2
             encryption aes256
             hash sha256
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 10.0.0.0/24 {
         }
         allowed-network 172.16.0.0/20 {
         }
         allowed-network 192.168.0.0/16 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer az.example.com {
             authentication {
                 id branchb.example.com
                 mode rsa
                 remote-id az.example.com
                 rsa-key-name az.example.com
             }
             connection-type initiate
             default-esp-group esp_az-example-com
             ike-group ike_az-example-com
             ikev2-reauth inherit
             local-address any
             tunnel 4 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 local {
                     prefix 172.20.1.26/32
                 }
                 remote {
                     prefix 172.20.1.27/32
                 }
             }
         }
         peer hq.example.com {
             authentication {
                 id branchb.example.com
                 mode rsa
                 remote-id hq.example.com
                 rsa-key-name hq.example.com
             }
             connection-type initiate
             default-esp-group esp_hq-example-com
             ike-group ike_hq-example-com
             ikev2-reauth inherit
             local-address any
             tunnel 0 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 local {
                     prefix 172.20.1.26/32
                 }
                 remote {
                     prefix 172.20.1.24/32
                 }
             }
         }
     }
 }

General Firewall Rules

all-ping enable
 broadcast-ping disable
 config-trap disable
 group {
     address-group agr_trusted-s2s-sourceips {
         address 202.55.3.5
         address 168.23.1.88
     }
 }
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 receive-redirects disable
 send-redirects enable
 source-validation disable
 state-policy {
     established {
         action accept
     }
     invalid {
         action drop
         log {
             enable
         }
     }
     related {
         action accept
     }
 }
 syn-cookies enable
 twa-hazards-protection disable

Hi,

we have to figure out why the packet is invalid. A reason could be the conntrack table size, maybe its full

do have access to the routers due the problem? so you can check

to show the plain table

show conntrack table ipv4|ipv6

to look to the statistics, maybe you see there some errors.

sudo conntrack -S

if this is the error you can increase the table size a little bit

config
set system conntrack expect-table-size XXXX

Hi Rob,

Currently I have access to the router. I am very sure that it is not because of the number of connections, because at the moment still very few computers work over the connection.

I have queried the number of current connections, as well as the configured maximum number. I think we can rule that out.

Interestingly, the statistics, since the VyOS router is behind a router from the ISP, and IPSec is forwarded via port forwarding, only the ports 500 and 4500 can reach the VyOS-Router from WAN-Side.

vyos@GW-BranchB:~$ sudo sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 89

vyos@GW-BranchB:~$ sudo sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 262144

vyos@GW-BranchB:~$ sudo conntrack -S
cpu=0           found=0 invalid=27528 ignore=1011 insert=0 insert_failed=0 drop=0 early_drop=0 error=25894 search_restart=1065
cpu=1           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=2           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=3           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=4           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=5           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=6           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=7           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=8           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=9           found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=10          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=11          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=12          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=13          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=14          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=15          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=16          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=17          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=18          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=19          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=20          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=21          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=22          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=23          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=24          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=25          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=26          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=27          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=28          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=29          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=30          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=31          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=32          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=33          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=34          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=35          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=36          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=37          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=38          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=39          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=40          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=41          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=42          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=43          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=44          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=45          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=46          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=47          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=48          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=49          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=50          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=51          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=52          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=53          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=54          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=55          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=56          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=57          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=58          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=59          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=60          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=61          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=62          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=63          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=64          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=65          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=66          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=67          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=68          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=69          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=70          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=71          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=72          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=73          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=74          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=75          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=76          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=77          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=78          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=79          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=80          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=81          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=82          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=83          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=84          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=85          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=86          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=87          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=88          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=89          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=90          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=91          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=92          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=93          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=94          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=95          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=96          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=97          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=98          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=99          found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=100         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=101         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=102         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=103         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=104         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=105         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=106         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=107         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=108         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=109         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=110         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=111         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=112         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=113         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=114         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=115         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=116         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=117         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=118         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=119         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=120         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=121         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=122         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=123         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=124         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=125         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=126         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0
cpu=127         found=0 invalid=0 ignore=0 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=0

Hello, @Coby!
The reason for your problem is because state-policy firewall rules applied to traffic before anyexternal-local. So, if there is a situation when the router does not receive any UDP packet during UDP connection timeout (30 seconds by default), further packets will be considered as INVALID.
I would recommend you to not use the global state-policy and create an additional rules in anyexternal-local chain instead. This gives you the same effect with a better understanding of what is going on with your connections.

Thank you for the support, I have applied the proposal and rebuilt the rule as follows.

Now it is just that the global state policy no longer classifies traffic as invalid, but Rule 2 does.

 vyos@GW-BranchB# show firewall name anyexternal-local | strip-private
 default-action drop
 rule 1 {
     action accept
     log enable
     state {
         established enable
         related enable
     }
 }
 rule 2 {
     action drop
     log enable
     state {
         invalid enable
     }
 }
 rule 100 {
     action accept
     description "Enable ICMP on WAN-Zone"
     icmp {
         type 8
     }
     log enable
     protocol icmp
 }
 rule 110 {
     action drop
     destination {
         port 22
     }
     log enable
     protocol tcp
     recent {
         count 2
         time 30
     }
 }
 rule 120 {
     action accept
     destination {
         port 22
     }
     log enable
     protocol tcp
 }
 rule 130 {
     action accept
     log enable
     source {
         address xxx.xxx.1.0/24
     }
 }
 rule 200 {
     action accept
     description "Allow UDP 500 and 4500 for IPSec and NAT-T"
     destination {
         port 500,4500
     }
     log enable
     protocol udp
     source {
         group {
             address-group agr_trusted-s2s-sourceips
         }
     }
 }

Understandable, since these are in the first place and are processed before rule 200. Is it really advisable to push the state policies to the end of the rule? That would be the only alternative isn’t it?
Or is it better to raise the time-out of 30s in this case?

net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180