[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

state insert failed / BAD state issues



  Gateway is a OpenBSD 3.3-release, with a 3.3-stable kernel built
  from recent OPENBSD_3_3 source.
  Gateway handles NAT to the egress and also rdr for transparent
  proxying. Rough idea of network:
 192.168.2.0/24                               Public, Routable IP
 ( customers ) --- $cus [ borogove ] $col --- [ squid ]
                             | $ext
                             |                        ( internet )
  Pf ruleset includes this:
-----
no rdr on $col from $squid to any
no nat on $col from $squid to any
no nat on $col from ($col) to any
rdr-anchor proxy_www proto tcp from any to any port www
  ( rdr on $cus inet proto tcp from any to any port www -> $squid port $squidport )
nat on $col inet proto tcp from any to $squid -> ($col)
nat on $ext from <nattable> to any -> $natAddr
-----
  Some customers are having trouble with:
  a. Some natted TCP connections to the external hosts
  b. Some rdr'd (and natted) connections that are hijacked through squid.
  Symptoms are timeouts (customer experience is: 'have to click more
  than once to load a page', broken images), and the gateway appears to
  'eat' some SYN packets (they come in $cus but don't leave on $ext or
  $col).
  Enabling misc debugging in pf shows these errors always accompanying
  the failure condition:
-----
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 pkts=24 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 pkts=25 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 pkts=26 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
-----
  Not sure where to go from here, hoping someone has some insight. I
  can provide more details to anyone who'd like them.
  Thanks
  matthew