Ipfw: pullup failed



  • Can anyone help me i keep on seeing this error? is this has an effect on my network slowdown?

    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed
    ipfw: pullup failed

    i kept seeing this on my pfsense box.
    i can provide additional information



  • From the ipfw man page:

    "There are circumstances where fragmented datagrams are unconditionally dropped.  TCP packets are dropped if they do not contain at least 20 bytes of TCP header, UDP packets are dropped if they do not contain a full 8 byte UDP header, and ICMP packets are dropped if they do not contain 4 bytes of ICMP header, enough to specify the ICMP type, code, and checksum.  These packets are simply logged as "pullup failed'' since there may not be enough good data in the packet to produce a meaningful log entry."

    The IPFW message implies that you are seeing low-level network problems with truncated packets.  What does netstat -i and netstat -s | grep frag show?



  • Wow, thanks for the meaningfull info. so in that case is this fine? i have attached the screenshot of netstat -s








  • Run it from pfSense, not from your Windows box.



  • @KOM:

    Run it from pfSense, not from your Windows box.

    Will this help?and we are getting a very slow internet throughout, im thinking that my LAN card is already broken

    | tcp:
    6289138 packets sent
    2732264 data packets (287772502 bytes)
    2777 data packets (1631446 bytes) retransmitted
    61 data packets unnecessarily retransmitted
    0 resends initiated by MTU discovery
    3321026 ack-only packets (0 delayed)
    0 URG only packets
    0 window probe packets
    0 window update packets
    233461 control packets
    6274463 packets received
    3003033 acks (for 287200544 bytes)
    157645 duplicate acks
    0 acks for unsent data
    3095058 packets (281010761 bytes) received in-sequence
    1314 completely duplicate packets (457477 bytes)
    8 old duplicate packets
    2 packets with some dup. data (626 bytes duped)
    378 out-of-order packets (108303 bytes)
    9 packets (0 bytes) of data after window
    0 window probes
    36 window update packets
    1092 packets received after close
    0 discarded for bad checksums
    0 discarded for bad header offset fields
    0 discarded because packet too short
    0 discarded due to memory problems
    12398 connection requests
    209774 connection accepts
    0 bad connection attempts
    0 listen queue overflows
    295 ignored RSTs in the windows
    222152 connections established (including accepts)
    223042 connections closed (including 12220 drops)
    1818 connections updated cached RTT on close
    1853 connections updated cached RTT variance on close
    959 connections updated cached ssthresh on close
    63 embryonic connections dropped
    2764628 segments updated rtt (of 2743764 attempts)
    3198 retransmit timeouts
    89 connections dropped by rexmit timeout
    0 persist timeouts
    0 connections dropped by persist timeout
    0 Connections (fin_wait_2) dropped because of timeout
    139 keepalive timeouts
    118 keepalive probes sent
    21 connections dropped by keepalive
    1594451 correct ACK header predictions
    1988824 correct data packet header predictions
    209773 syncache entries added
    619 retransmitted
    817 dupsyn
    31 dropped
    209774 completed
    0 bucket overflow
    0 cache overflow
    6 reset
    10 stale
    55 aborted
    0 badack
    0 unreach
    0 zone failures
    209804 cookies sent
    72 cookies received
    38 hostcache entries added
    0 bucket overflow
    12 SACK recovery episodes
    76 segment rexmits in SACK recovery episodes
    107457 byte rexmits in SACK recovery episodes
    2136 SACK options (SACK blocks) received
    170 SACK options (SACK blocks) sent
    0 SACK scoreboard overflow
    0 packets with ECN CE bit set
    0 packets with ECN ECT(0) bit set
    0 packets with ECN ECT(1) bit set
    0 successful ECN handshakes
    0 times ECN reduced the congestion window
    0 packets with valid tcp-md5 signature received
    0 packets with invalid tcp-md5 signature received
    0 packets with tcp-md5 signature mismatch
    0 packets with unexpected tcp-md5 signature received
    0 packets without expected tcp-md5 signature received
    udp:
    414943 datagrams received
    0 with incomplete header
    0 with bad data length field
    0 with bad checksum
    0 with no checksum
    14044 dropped due to no socket
    157574 broadcast/multicast datagrams undelivered
    0 dropped due to full socket buffers
    0 not for hashed pcb
    243325 delivered
    235923 datagrams output
    0 times multicast source filter matched
    sctp:
    0 input packets
    0 datagrams
    0 packets that had data
    0 input SACK chunks
    0 input DATA chunks
    0 duplicate DATA chunks
    0 input HB chunks
    0 HB-ACK chunks
    0 input ECNE chunks
    0 input AUTH chunks
    0 chunks missing AUTH
    0 invalid HMAC ids received
    0 invalid secret ids received
    0 auth failed
    0 fast path receives all one chunk
    0 fast path multi-part data
    0 output packets
    0 output SACKs
    0 output DATA chunks
    0 retransmitted DATA chunks
    0 fast retransmitted DATA chunks
    0 FR's that happened more than once to same chunk
    0 output HB chunks
    0 output ECNE chunks
    0 output AUTH chunks
    0 ip_output error counter
    Packet drop statistics:
    0 from middle box
    0 from end host
    0 with data
    0 non-data, non-endhost
    0 non-endhost, bandwidth rep only
    0 not enough for chunk header
    0 not enough data to confirm
    0 where process_chunk_drop said break
    0 failed to find TSN
    0 attempt reverse TSN lookup
    0 e-host confirms zero-rwnd
    0 midbox confirms no space
    0 data did not match TSN
    0 TSN's marked for Fast Retran
    Timeouts:
    0 iterator timers fired
    0 T3 data time outs
    0 window probe (T3) timers fired
    0 INIT timers fired
    0 sack timers fired
    0 shutdown timers fired
    0 heartbeat timers fired
    0 a cookie timeout fired
    0 an endpoint changed its cookiesecret
    0 PMTU timers fired
    0 shutdown ack timers fired
    0 shutdown guard timers fired
    0 stream reset timers fired
    0 early FR timers fired
    0 an asconf timer fired
    0 auto close timer fired
    0 asoc free timers expired
    0 inp free timers expired
    0 packet shorter than header
    0 checksum error
    0 no endpoint for port
    0 bad v-tag
    0 bad SID
    0 no memory
    0 number of multiple FR in a RTT window
    0 RFC813 allowed sending
    0 RFC813 does not allow sending
    0 times max burst prohibited sending
    0 look ahead tells us no memory in interface
    0 numbers of window probes sent
    0 times an output error to clamp down on next user send
    0 times sctp_senderrors were caused from a user
    0 number of in data drops due to chunk limit reached
    0 number of in data drops due to rwnd limit reached
    0 times a ECN reduced the cwnd
    0 used express lookup via vtag
    0 collision in express lookup
    0 times the sender ran dry of user data on primary
    0 same for above
    0 sacks the slow way
    0 window update only sacks sent
    0 sends with sinfo_flags !=0
    0 unordered sends
    0 sends with EOF flag set
    0 sends with ABORT flag set
    0 times protocol drain called
    0 times we did a protocol drain
    0 times recv was called with peek
    0 cached chunks used
    0 cached stream oq's used
    0 unread messages abandonded by close
    0 send burst avoidance, already max burst inflight to net
    0 send cwnd full avoidance, already max burst inflight to net
    0 number of map array over-runs via fwd-tsn's
    ip:
    52119993 total packets received
    2 bad header checksums
    0 with size smaller than minimum
    0 with data size < data length
    0 with ip length > max ip packet size
    0 with header length < data size
    0 with data length < header length
    0 with bad options
    0 with incorrect version number
    0 fragments received
    0 fragments dropped (dup or out of space)
    0 fragments dropped after timeout
    0 packets reassembled ok
    6904891 packets for this host
    1 packet for unknown/unsupported protocol
    21931990 packets forwarded (0 packets fast forwarded)
    2804 packets not forwardable
    0 packets received for unknown multicast group
    0 redirects sent
    6748199 packets sent from this host
    0 packets sent with fabricated ip header
    0 output packets dropped due to no bufs, etc.
    19 output packets discarded due to no route
    7 output datagrams fragmented
    21 fragments created
    0 datagrams that can't be fragmented
    0 tunneling packets that can't find gif
    0 datagrams with bad address in header
    icmp:
    2951 calls to icmp_error
    0 errors not generated in response to an icmp message
    Output histogram:
    echo reply: 301
    destination unreachable: 2782
    time exceeded: 169
    0 messages with bad code fields
    0 messages less than the minimum length
    0 messages with bad checksum
    0 messages with bad length
    0 multicast echo requests ignored
    0 multicast timestamp requests ignored
    Input histogram:
    echo reply: 214740
    destination unreachable: 444
    echo: 301
    301 message responses generated
    0 invalid return addresses
    0 no return routes
    ICMP address mask responses are disabled
    igmp:
    1 message received
    0 messages received with too few bytes
    0 messages received with wrong TTL
    0 messages received with bad checksum
    1 V1/V2 membership query received
    0 V3 membership queries received
    0 membership queries received with invalid field(s)
    1 general query received
    0 group queries received
    0 group-source queries received
    0 group-source queries dropped
    0 membership reports received
    0 membership reports received with invalid field(s)
    0 membership reports received for groups to which we belong
    0 V3 reports received without Router Alert
    2 membership reports sent
    ipsec:
    0 inbound packets violated process security policy
    0 inbound packets failed due to insufficient memory
    0 invalid inbound packets
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route available
    0 invalid outbound packets
    0 outbound packets with bundled SAs
    0 mbufs coalesced during clone
    0 clusters coalesced during clone
    0 clusters copied during clone
    0 mbufs inserted during makespace
    ah:
    0 packets shorter than header shows
    0 packets dropped; protocol family not supported
    0 packets dropped; no TDB
    0 packets dropped; bad KCR
    0 packets dropped; queue full
    0 packets dropped; no transform
    0 replay counter wraps
    0 packets dropped; bad authentication detected
    0 packets dropped; bad authentication length
    0 possible replay packets detected
    0 packets in
    0 packets out
    0 packets dropped; invalid TDB
    0 bytes in
    0 bytes out
    0 packets dropped; larger than IP_MAXPACKET
    0 packets blocked due to policy
    0 crypto processing failures
    0 tunnel sanity check failures
    esp:
    0 packets shorter than header shows
    0 packets dropped; protocol family not supported
    0 packets dropped; no TDB
    0 packets dropped; bad KCR
    0 packets dropped; queue full
    0 packets dropped; no transform
    0 packets dropped; bad ilen
    0 replay counter wraps
    0 packets dropped; bad encryption detected
    0 packets dropped; bad authentication detected
    0 possible replay packets detected
    0 packets in
    0 packets out
    0 packets dropped; invalid TDB
    0 bytes in
    0 bytes out
    0 packets dropped; larger than IP_MAXPACKET
    0 packets blocked due to policy
    0 crypto processing failures
    0 tunnel sanity check failures
    ipcomp:
    0 packets shorter than header shows
    0 packets dropped; protocol family not supported
    0 packets dropped; no TDB
    0 packets dropped; bad KCR
    0 packets dropped; queue full
    0 packets dropped; no transform
    0 replay counter wraps
    0 packets in
    0 packets out
    0 packets dropped; invalid TDB
    0 bytes in
    0 bytes out
    0 packets dropped; larger than IP_MAXPACKET
    0 packets blocked due to policy
    0 crypto processing failures
    0 packets sent uncompressed; size < compr. algo. threshold
    0 packets sent uncompressed; compression was useless
    pim:
    0 messages received
    0 bytes received
    0 messages received with too few bytes
    0 messages received with bad checksum
    0 messages received with bad version
    0 data register messages received
    0 data register bytes received
    0 data register messages received on wrong iif
    0 bad registers received
    0 data register messages sent
    0 data register bytes sent
    carp:
    0 packets received (IPv4)
    0 packets received (IPv6)
    0 packets discarded for wrong TTL
    0 packets shorter than header
    0 discarded for bad checksums
    0 discarded packets with a bad version
    0 discarded because packet too short
    0 discarded for bad authentication
    0 discarded for bad vhid
    0 discarded because of a bad address list
    0 packets sent (IPv4)
    0 packets sent (IPv6)
    0 send failed due to mbuf memory error
    pfsync:
    0 packets received (IPv4)
    0 packets received (IPv6)
        0 clear all requests received
        0 state inserts received
        0 state inserted acks received
        0 state updates received
        0 compressed state updates received
        0 uncompressed state requests received
        0 state deletes received
        0 compressed state deletes received
        0 fragment inserts received
        0 fragment deletes received
        0 bulk update marks received
        0 TDB replay counter updates received
        0 end of frame marks received
    0 packets discarded for bad interface
    0 packets discarded for bad ttl
    0 packets shorter than header
    0 packets discarded for bad version
    0 packets discarded for bad HMAC
    0 packets discarded for bad action
    0 packets discarded for short packet
    0 states discarded for bad values
    0 stale states
    0 failed state lookup/inserts
    0 packets sent (IPv4)
    0 packets sent (IPv6)
        0 clear all requests sent
        0 state inserts sent
        0 state inserted acks sent
        0 state updates sent
        0 compressed state updates sent
        0 uncompressed state requests sent
        0 state deletes sent
        0 compressed state deletes sent
        0 fragment inserts sent
        0 fragment deletes sent
        0 bulk update marks sent
        0 TDB replay counter updates sent
        0 end of frame marks sent
    0 failures due to mbuf memory error
    0 send errors
    arp:
    2605 ARP requests sent
    25483 ARP replies sent
    103700 ARP requests received
    1257 ARP replies received
    104957 ARP packets received
    2984 total packets dropped due to no ARP entry
    1458 ARP entrys timed out
    0 Duplicate IPs seen
    ip6:
    1711 total packets received
    0 with size smaller than minimum
    0 with data size < data length
    0 with bad options
    0 with incorrect version number
    0 fragments received
    0 fragments dropped (dup or out of space)
    0 fragments dropped after timeout
    0 fragments that exceeded limit
    0 packets reassembled ok
    125 packets for this host
    0 packets forwarded
    0 packets not forwardable
    0 redirects sent
    45 packets sent from this host
    0 packets sent with fabricated ip header
    0 output packets dropped due to no bufs, etc.
    81 output packets discarded due to no route
    0 output datagrams fragmented
    0 fragments created
    0 datagrams that can't be fragmented
    0 packets that violated scope rules
    125 multicast packets which we don't join
    Input histogram:
    hop by hop: 261
    UDP: 1185
    ICMP6: 265
    Mbuf statistics:
    0 one mbuf
    1711 one ext mbuf
    0 two or more ext mbuf
    0 packets whose headers are not contiguous
    0 tunneling packets that can't find gif
    0 packets discarded because of too many headers
    1060 failures of source address selection
    source addresses on a non-outgoing I/F
    1060 addresses scope=f
    Source addresses selection rule applied:
    1060 same address
    icmp6:
    0 calls to icmp6_error
    0 errors not generated in response to an icmp6 message
    0 errors not generated because of rate limitation
    Output histogram:
    neighbor solicitation: 21
    MLDv2 listener report: 18
    0 messages with bad code fields
    0 messages < minimum length
    0 bad checksums
    0 messages with bad length
    Input histogram:
    router advertisement: 132
    neighbor advertisement: 8
    Histogram of error messages to be generated:
    0 no route
    0 administratively prohibited
    0 beyond scope
    0 address unreachable
    0 port unreachable
    0 packet too big
    0 time exceed transit
    0 time exceed reassembly
    0 erroneous header field
    0 unrecognized next header
    0 unrecognized option
    0 redirect
    0 unknown
    0 message responses generated
    0 messages with too many ND options
    0 messages with bad ND options
    0 bad neighbor solicitation messages
    0 bad neighbor advertisement messages
    0 bad router solicitation messages
    0 bad router advertisement messages
    0 bad redirect messages
    0 path MTU changes
    ipsec6:
    0 inbound packets violated process security policy
    0 inbound packets failed due to insufficient memory
    0 invalid inbound packets
    0 outbound packets violated process security policy
    0 outbound packets with no SA available
    0 outbound packets failed due to insufficient memory
    0 outbound packets with no route available
    0 invalid outbound packets
    0 outbound packets with bundled SAs
    0 mbufs coalesced during clone
    0 clusters coalesced during clone
    0 clusters copied during clone
    0 mbufs inserted during makespace
    rip6:
    0 messages received
    0 checksum calculations on inbound
    0 messages with bad checksum
    0 messages dropped due to no socket
    0 multicast messages dropped due to no socket
    0 messages dropped due to full socket buffers
    0 delivered
    0 datagrams output
    pfkey:
    36 requests sent from userland
    3328 bytes sent from userland
    histogram by message type:
    register: 2
    x_spdadd: 18
    x_spddelete: 16
    0 messages with invalid length field
    0 messages with invalid version field
    0 messages with invalid message type field
    0 messages too short
    0 messages with memory allocation failure
    0 messages with duplicate extension
    0 messages with invalid extension type
    0 messages with invalid sa type
    0 messages with invalid address extension
    36 requests sent to userland
    3712 bytes sent to userland
    histogram by message type:
    register: 2
    x_spdadd: 18
    x_spddelete: 16
    0 messages toward single socket
    34 messages toward all sockets
    2 messages toward registered sockets
    0 messages with memory allocation failure |



  • I'm not sure what your problem is.  You don't seem to have excess fragmentation.  You could try swapping out the NIC and see if it goes away but I have no other suggestions.