[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: state insert failed / BAD state issues

On Friday, May 30, 2003, at 07:11 US/Pacific, Mike Frantzen wrote:

Symptoms are timeouts (customer experience is: 'have to click more
than once to load a page', broken images), and the gateway appears to
'eat' some SYN packets (they come in $cus but don't leave on $ext or
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 pkts=24 dir=in,fwd
/bsd: pf: State failure on: 1 | 5

Note that the sequence number on that packet is 46 million off.
(compare the seq=%u line to lo=%u and high=%u). Both sides of the
connection are in state 10 (which is TCPS_TIME_WAIT). This means that
the <customer> has already made a connection to <server>:443 from source
port 62548 and PF hasn't expired that state yet.

pf will only enter TIME_WAIT when one side RSTs the connection. It might
be interesting to watch a complete session between those two hosts.