Growing states table, some leak?

w0w

at the same time

pfctl -ss>/root/dump.txt produces the file with 3441 lines not 1000213 as it theoretically should be. So what are those “ghost” states, @jimp?

jimp

Interesting that it doesn't line up. I checked two HA pairs in my lab (one Plus, one CE) and neither of them show that kind of behavior on either node.

What does pfctl -si show in its data for states? What about other info there?

That's the kind of weirdness I might expect to see if somehow the world and kernel don't match up, like either the kernel isn't being updated and it's running an older kernel, or the kernel updated but the base system didn't.

Check the output of pkg -x pfSense and uname -a and see what the output shows on there.

w0w

@jimp said in Growing states table, some leak?:

pfctl -si

@jimp said in Growing states table, some leak?:

pkg -x pfSense

pkg info? -x does not recognized as command

@jimp said in Growing states table, some leak?:

uname -a

14.0-ALPHA2 FreeBSD 14.0-ALPHA2 amd64 1400094 #1 plus-devel-main-n256131-b9588f9fb62: Sat Aug 26 18:08:03 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/obj/amd64/iYn5SZ87/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/amd64.amd64/sys/pfSense amd64

@jimp said in Growing states table, some leak?:

Interesting that it doesn't line up.

I switched from primary to secondary by putting primary into maintenance mode. May be I did it several times. At the same time I have fatal traps sometimes, it's on the other topic. And there is PPPoE on the WAN1, WAN2 is DHCP. MultiWAN gateway is used

w0w

This post is deleted!

jimp

Hmm, a lot of the info in pfctl -si looks suspiciously large.

Maintenance mode shouldn't have had any effect on pfsync / state data.

The base and kernel seem to match up, though.

All that said, PPPoE isn't supported with HA, nor is DHCP, so we don't do any testing in that regard. It's designed for, and only suitable for, static WANs, so who knows what kind of unpredictable results you might have.

Doing state sync is worthless in your case without a proper static WAN setup so you may as well disable and see if things stabilize. Without static WANs and proper CARP VIPs on all WANs there is no hope of seamless connection failover so pfsync is just complicating matters.

w0w

@jimp said in Growing states table, some leak?:

All that said, PPPoE isn't supported with HA, nor is DHCP, so we don't do any testing in that regard. It's designed for, and only suitable for, static WANs, so who knows what kind of unpredictable results you might have.

Yes, I know that PPPoE is not supported. I don't use it in CARP anyway. It is controlled by script, when firewall is not primary it just put it down and vise versa, my ISP also bans if I use more than 1 session for a long time.
WAN2 is used in CARP. Actually, those DHCPs means static lease on upstream router, so it actually the same all the way. So yes, I use WAN2 CARP IP, this configuration works fine since 2.6 alpha… So what next? Try to disable WAN2 CARP?

jimp

Not sure what to suggest since even if they are static in DHCP that's still not a supported configuration. No dynamic WANs are supported.

If it worked, consider yourself lucky as it worked by pure luck.

The top suspect would be any custom scripts and PPPoE since those are very far from standard.

Ideally if anyone else could reproduce it you could find something in common and track down how to reproduce it from a bare minimum configuration. Without more leads, it's difficult to speculate about what might be happening.

w0w

@jimp
Ok. Already changed to static. Will try to stop the script also.

w0w

@Raul-Ramos
What HA configuration are you using? Do you have some custom scripts enabled?

Raul Ramos

@w0w I do not have any custom scripts. Some packages: HAproxy, FreeRadius, acme, zabbix, wiregard, more two or three, nothing fancy.

My systems are not standard: Two virtualized instances of Proxmox, diferente boxes, similar hardware, each one have dedicated raw device networks (one em(0/1) other igb(0/1)) with 4 or five Vlans.
HA is configured to use Multicast on a VLANs created for SYNC, I tested using a IP but states continue to grow until nothin is usable.

At this moment the main instance is on the 23.05.1, backup is on the 23.09, all good, don't know if the stats are synced correctly, backup instance is 7000 down in stats count.

I change WAN setting to static. I'll test it later.

w0w

CARP is configured to use static IPs, custom script is disabled. States are keep growing and NOT cleaned by

it does not log anything also.
If I do

pfctl -F states

Then it clears a few thousands of states ex 4300, but GUI shows that overall states is 48000 currently. This is happening on both firewalls. Even if it is lower than critical limit.

marcosm

Have you tried to reproduce this with a clean install / minimal config? pfctl not clearing all of the states is certainly unexpected.

Raul Ramos

This post is deleted!

w0w

@marcosm
What you mean minimal? It does affect only CARP configurations. Growing stops immediately when CARP is disabled temporary. Tried clean installation with config restoration, tried a lot of other things with no luck. Trying to replicate this with Vbox machines, but currently have some stupid NAT problems…

Another fun

WTF? Definitely, it has never been enabled. Is it OK? It is happening when I try to uncheck "enable" and press save button.

Ok, found some old opt1 (SYNC) config for radvd in config file that does not show up in GUI, deleted it and now I can purely disable SYNC interface.

When I disable interface and reboot machine, growing is gone, when I enable interface it starts growing immediately by thousands.

w0w

Subtotals.

Primary firewall               Secondary firewall                   Ghost states

23.09                               23.05                                    NO
23.09                               23.09                                    YES
23.05                               23.09                                    YES
23.05                               23.05                                    NO

Additional tests:
I connected a virtual machine as a second firewall through a real interface (SYNC), where everything is configured minimally, the number of states immediately starts to increase in virtual machine too.
Two virtual machines on 23.09 between each other—no problem, but the test cannot be considered complete, since there is very little real traffic there, perhaps some kind of trigger is missing. Later, there is an idea to replace the main firewall with a virtual machine.
Also tried to replace SYNC interface on both machines with USB card, this changed nothing so at least NIC driver is not suspected, because it is absolutely different vendors all the way.

w0w

Virtual machine configured as primary showed this in the CARP maintenance

Minimal config. Just one WAN, LAN and SYNC.
When it becomes “master”, not “backup” then states looks normal on both, not growing.

jimp

I ran this by Kristof and he has a couple different theories about what might be happening, but it's not clear exactly based just on the information in the thread, especially since we can't seem to reproduce it in a lab setup.

There are a few ways to help gather info:

• Install a regular kernel from https://www.codepro.be/files/pfSense-kernel-pfSense-23.09.a.20230905.1950.pkg
• Install a debug kernel from https://www.codepro.be/files/pfSense-kernel-debug-pfSense-23.09.a.20230905.1950.pkg

There are potentially some issues with error handling in pf_create_state() that could cause states to be allocated and then lost before they’re connected in the state table. That matches the problem description, although it's not clear how or why this would suddenly start manifesting, and doing so on an inconsistent basis.

w0w

@jimp
Thank you for your time and attention.
Installed debug kernel. What should I do next?

jimp

Once you are booted into the debug kernel, see if you can reproduce the problem.

If you can, see if anything additional shows up in the system log.

If you don't see the problem on the debug kernel, then that may also confirm that what Kristof attempted to fix there was the actual problem.

w0w

@jimp
I see it's growing, but not reached its limit. When should I expect anything additional in logs? Can you provide some keywords?

EDIT: Ahh wait... forgot to select the right kernel :)