Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    State Table full / Out of Sync after update to 2.4.4

    Scheduled Pinned Locked Moved
    Problems Installing or Upgrading pfSense Software
    4
    13
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      biggsy
      last edited by

      @magnus1720 said in State Table full / Out of Sync after update to 2.4.4:

      The pfSense is a VM on a HyperV server 2012 R2.

      This is the second recent post about the state table filling up when running 2.4.4 on HyperV/Server 2012.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Third

        https://forum.netgate.com/topic/138000/states

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        B 1 Reply Last reply Reply Quote 0
        • B
          biggsy @Derelict
          last edited by

          @derelict

          True, but both of those were posted by OutbackMatt about slightly different aspects of the same problem, I thought.

          @magnus1720

          Have you seen any time sync problems like those OutbackMatt described?

          1 Reply Last reply Reply Quote 0
          • M
            magnus1720
            last edited by magnus1720

            @stephenw10
            Once it starts the dashboard doesn’t change at all, clearing states doesn’t help it ether, only a reboot can fix it.
            In the System log I mostly see messages like the below.
            arp: 172.16.80.134 moved from 00:34:da:50:a7:91 to cc:25:ef:8d:f4:51 on hn3

            @biggsy
            No but I have now disabled integration settings for time sync in HyperV.

            I have dumped the state table and imported it to a access database.
            And for destination 8.8.8.8:53 there are 33156 records. (These will be Guest devices accessing internet using googls DNS)
            From local IPs to 8.8.8.8 MULTIPLE:SINGLE

            And from my Domain controller to DNS forwarders there are a total of 64240 records
            This will be domain joined devices
            So, it seems like states are simply not being closed.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Short of rebooting you might try a quick pfctl -d followed by a pfctl -e.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M
                magnus1720
                last edited by

                @Derelict
                pfctl -d followed by a pfctl -e didn’t change anything. It did confirm the change that pf was disenabled and then enabled again.
                I also updated to 2.4.4-RELEASE-p1 but again I am still seeing the issue.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  You might try disabling pf then clearing the state table from the command line:

                  [2.4.4-RELEASE][admin@5100.stevew.lan]/root: pfctl -d
pf disabled
[2.4.4-RELEASE][admin@5100.stevew.lan]/root: pfctl -F states
3 states cleared

                  Or indeed if pfctl -s info shows the correct state table size count.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • M
                    magnus1720
                    last edited by

                    That didn’t change anything ether, but I will reinstall pfsense today and import the config. Perhaps this helps.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      What about the pfctl state table count at the CLI, was that correct?

                      Steve

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        magnus1720 @stephenw10
                        last edited by

                        i did a new install of pfSense on a new VM same host, i used the same config as before, and the issue is back -_-

                        @stephenw10
                        Hi

                        No it dosent show the correct info
                        Below is a output from pfctl -s info where States are at 34572
                        0_1547736652056_states3.PNG
                        But in monetering you can see the real number of states
                        0_1547736786968_states4.PNG

                        1 Reply Last reply Reply Quote 0
                        • M
                          magnus1720
                          last edited by

                          Here is A example of some bad states. Notice how the states expires in 00:00:00
                          0_1547741022342_states6.PNG

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post