1. Home
  2. pfSense® Software
  3. Firewalling
  4. Malformed syn-ack

Malformed syn-ack

  • C

    I have a Raspberry Pi connected to a Cisco switch and the LAN interface of Pfsense connected to the same switch on the same VLAN. I can access the management UI of Pfsense. I can resolve addresses such as www.google.com and I can ping google. What I cannot do is anything that requires a tcp handshake to something beyond the pfsense box. I see the syn leave. I see the syn-ack come back and I see pfsense put it on the wire for the lan. When it hits the rpi it is turned into an rx_error and I don't even see it in a tcp capture. Does anybody have any thoughts on what pfsense is doing to the syn-ack?

    I spanned the port that the RPI is connected to and the capture looks like this:
    d2487d72-1493-4927-a1e0-057702776b28-image.png

    This is the capture from the RPI:

    751a874b-f591-4c25-8df0-9863315654da-image.png

    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255
    inet6 fe80::30b4:e58:8a50:aff2 prefixlen 64 scopeid 0x20<link>
    ether b8:27:eb:4c:92:15 txqueuelen 1000 (Ethernet)
    RX packets 3706 bytes 2429908 (2.3 MiB)
    [RX errors 1785] dropped 0 overruns 0 frame 0
    TX packets 2606 bytes 223853 (218.6 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    I would suspect the RPI BUT I am able to access the management UI of Pfsense so that rules out the RPI as the issue. That syn-ack is being jacked up somehow...

    0
  • KOM

    What hardware is pfSense running on? What happen when you take the Cisco out of the loop and connect the Pi directly to pfSense LAN port?

    0 C 1 Reply
  • C

    @KOM Its a Lenovo desktop that I've added a second NIC to. It's the same behavior if I connect the RPI directly to the pfsense box. In fact I went down this rabbit hole because I wanted to put pfsense between my wireless access point and my cable modem and it killed my whole network. From this laptop I was able to ping and resolve names but no joy on tcp.

    0
  • KOM

    TCP retransmissions are a symptom of the problem and not the cause. It could be cable, port, duplex mismatch...

    Your capture shows the initial SYN from your server, and the top capture shows that it gets a SYN ACK back, but it doesn't reply with an ACK to finish the handshake (or at least not in the snippet you showed), so each end starts retransmitting. Do you have an IP address conflict, packet storm or switch loop going on? He's retransmitting his SYN ACKs, and you're replying with SYNs as if you're trying to start the handshake.

    0 C 1 Reply
  • johnpoz
    LAYER 8 Global Moderator

    I have 4 pi's on my network, and cisco sg300 switch.. Have zero issues..

    Do you have other devices that can go through pfsense?

    0
  • C

    No switching issues or IP conflicts. I am able to get to the management UI of pfsense on that same nic. Which tells me TCP works on the RPI. UDP and ICMP work perfectly to destinations on the other side of the firewall.

    This is the only node on this network aside from pfsense.

    0
  • C

    @KOM said in Malformed syn-ack:

    TCP retransmissions are a symptom of the problem and not the cause. It could be cable, port, duplex mismatch...

    Your capture shows the initial SYN from your server, and the top capture shows that it gets a SYN ACK back, but it doesn't reply with an ACK to finish the handshake (or at least not in the snippet you showed), so each end starts retransmitting. Do you have an IP address conflict, packet storm or switch loop going on? He's retransmitting his SYN ACKs, and you're replying with SYNs as if you're trying to start the handshake.

    Those syn-acks are becoming rx_errors on the RPI which makes me think they are malformed packets.

    0
  • KOM

    Do a capture on pfSense LAN to see how those packets are leaving the interface to your Pi. Try and find where the breakdown happens.

    0 C 1 Reply
  • C

    @KOM I already did. :) The syn-ack makes it to the switchport that the RPI is connected to. The RPI doesn't like the packet for some reason. Something is wrong with it.

    0
  • KOM

    So the packets are fine out LAN, but are seen as bad after being processed by the Pi NIC...? The traces you showed don't show any bad packets but your NIC stats show receive errors.

    0
  • C

    I am beginning to wonder if it is the el'cheapo usb nic that I am using for the LAN interface. I've got a pcie nic arriving tonight.

    The bottom line is this should work with all of the default settings out of the box right?

    0
  • KOM

    Yes.

    0
  • C

    It was that miserable USB nic. I put the new pcie nic in and as soon as I powered it back on I was online.

    0
  • C

    For what its worth it was a Sabernet 10/100 USB nic.

    0
  • Derelict
    LAYER 8 Netgate

    "Don't use USB NICs."

    "Why?"

    "Reasons."

    0
  • KOM

    Yes, if you would have mentioned that the NIC was USB we would have zeroed in on it immediately. I just assumed you were using the NIC on your Pi.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy