[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: state insert failed / BAD state issues



>   Symptoms are timeouts (customer experience is: 'have to click more
>   than once to load a page', broken images), and the gateway appears to
>   'eat' some SYN packets (they come in $cus but don't leave on $ext or
>   $col).
> /bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 pkts=24 dir=in,fwd
> /bsd: pf: State failure on: 1       | 5
Note that the sequence number on that packet is 46 million off.
(compare the seq=%u line to lo=%u and high=%u).  Both sides of the
connection are in state 10 (which is TCPS_TIME_WAIT).  This means that
the <customer> has already made a connection to <server>:443 from source
port 62548 and PF hasn't expired that state yet.
There are two options.  Figure out why they are reusing the source port
without waiting 2*msl and fix it.  Or reduce the tcp.closed timeout.
Changing the tcp.closed timeout would probably be your best bet for the
typical customer.
pf.conf:
  set timeout tcp.closed <smaller number like 10>
.mike