PF States limit reached.
-
Also the firewall had a kernel panic on reboot.(decide to reboot it because the graphs were not working).
I checked in /var/crashes and there was no dump.
-
So this problem happens every 200 days or so? Uptime in screenshot.....
-
No it happens once a day for the last 3 days. I don't reboot the firewall, I just flush the states. "pfctl -F states all"
-
Just wanted to report it has not happened since I put the limits on.
-
You can probably find in your logs what device(s) are attempting to open so many sessions and address whatever is happening - i.e. malware or what have you.
-
Just to report it happened again. In my eyes, there are two options: Option 1 is adaptive timeouts are not working. Option 2 is the device somehow running out of memory. I can see in the monitoring graph that when the states reach roughly 900k the device becomes un-resposive. I've set much lower adaptive timeouts now and put the max states to 5mil(8G RAM). max src states is at 8096 on each firewall rule.
If anybody has a suggestion on how to simulate a lot of connection states from multiple IP, I would love to hear it.
-
You're not alone: https://www.google.com/search?client=firefox-b-1-d&channel=cus&q=pfsense+pf+states+limit+reached
this one mentions a Spiceworks scan of a large subnet:
https://forum.netgate.com/topic/81059/zone-pf-states-pf-states-limit-reached-how-to-find-the-offender/10
Given that post (simultaneous scan), how often are the adaptive timeouts processed/changed/updated by pfSense? (instantly, every 5 minutes, etc.) -
When I recommended 8k states, that was a very high ceiling. It works well in my environment but in most environments that can be far far lower with no negative impacts on user experience. 512 is a reasonable limit to impose on your allow rules. You may want to try that as an alternative to more RAM :)
-
Is this running on Hyper-V?
-
@Derelict said in PF States limit reached.:
Is this running on Hyper-V?
Appreciate your reply. It is on a physical box. Supemicro Atom C2750.