Log action is unkn(11)

a.lefebvre

Hi, i'm having a weird issue with a pfsense since yesterday.

I could not connect one of my remote site using RDP, any protocol seems to work except RDP. I tried on some server on the remote network same issue. Seems nobody edit the configuration of the firewall.

In the firewall log I noticed this :

Action is unkn(11)

The action is so sudden and apply to all the server so i really think the pfsense is the problem here. the pfsense is running the following version : 2.1.5-RELEASE (amd64)

Any idea ?

a.lefebvre

More information :

I saw this unkn(11) one time; the issue was about asymmetrical routing.

For my actual problem i double checked, and there is no routing problem.

Any idea ?

a.lefebvre

Here is a packet trace :

(172.20 is the local site and 192.168 is the remote site)

Every time i tried a connection to the remote site i get a RST.

If i try a a connection from the remote site to my site i get the same issue. The server on the remote site send me an RST packet.

May be not a pfsense issue, someone have an idea ?

a.lefebvre

Ok I ran the same test with wireshark on the remote site and that's weird. I start the connection on my site to the remote site. the following two screenshot are from the same TCP session

From my site (172.20.70.22) :

From remote site (192.168.4.23)

We don't have the same thing:
From my site perspective the remote site send the RST flag.
From the remote site perspective, my site sent the RST flag.

Maybe a pfsense issue after all ?

If anyone have an idea that would be nice.

a.lefebvre

I'm still struggling with that.

Is it possible that pfSense create those RST packets and send them to both device ?

a.lefebvre

Another test :

From the remote site I tried to connect to RDP to another computer (out of the company, out of the domain) using another port.

Same issue, i received a RST packet and the connection closed again.

I would really appreciate any help with that.

a.lefebvre

Side question : the pfsense version is kinda outdated - Is that issue have been resolved by an update ?

Can i update it easily to the latest version using manual update (can't autoupdate from China it seems but DNS&Internet is working at)
Is it "safe"  (no known error?) ?

I just found an option in System > Advanced > System Tunables :

net.inet.tcp.blackhole set to 2.  Here is the description : "Drop packets to closed TCP ports without returning a RST "

Seems to be my issue, looks like the pfsense is closing all RDP session with a RST, is there a way to disable that "functionnality" ?

Thanks.

a.lefebvre

In the end pfsense start to work properly again without any modification ….........