Malformed syn-ack

cjlambiii

I have a Raspberry Pi connected to a Cisco switch and the LAN interface of Pfsense connected to the same switch on the same VLAN. I can access the management UI of Pfsense. I can resolve addresses such as www.google.com and I can ping google. What I cannot do is anything that requires a tcp handshake to something beyond the pfsense box. I see the syn leave. I see the syn-ack come back and I see pfsense put it on the wire for the lan. When it hits the rpi it is turned into an rx_error and I don't even see it in a tcp capture. Does anybody have any thoughts on what pfsense is doing to the syn-ack?

I spanned the port that the RPI is connected to and the capture looks like this:

This is the capture from the RPI:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::30b4:e58:8a50:aff2 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:4c:92:15 txqueuelen 1000 (Ethernet)
RX packets 3706 bytes 2429908 (2.3 MiB)
[RX errors 1785] dropped 0 overruns 0 frame 0
TX packets 2606 bytes 223853 (218.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I would suspect the RPI BUT I am able to access the management UI of Pfsense so that rules out the RPI as the issue. That syn-ack is being jacked up somehow...

KOM

What hardware is pfSense running on? What happen when you take the Cisco out of the loop and connect the Pi directly to pfSense LAN port?

cjlambiii

@KOM Its a Lenovo desktop that I've added a second NIC to. It's the same behavior if I connect the RPI directly to the pfsense box. In fact I went down this rabbit hole because I wanted to put pfsense between my wireless access point and my cable modem and it killed my whole network. From this laptop I was able to ping and resolve names but no joy on tcp.

KOM

TCP retransmissions are a symptom of the problem and not the cause. It could be cable, port, duplex mismatch...

Your capture shows the initial SYN from your server, and the top capture shows that it gets a SYN ACK back, but it doesn't reply with an ACK to finish the handshake (or at least not in the snippet you showed), so each end starts retransmitting. Do you have an IP address conflict, packet storm or switch loop going on? He's retransmitting his SYN ACKs, and you're replying with SYNs as if you're trying to start the handshake.

johnpoz

I have 4 pi's on my network, and cisco sg300 switch.. Have zero issues..

Do you have other devices that can go through pfsense?

cjlambiii

No switching issues or IP conflicts. I am able to get to the management UI of pfsense on that same nic. Which tells me TCP works on the RPI. UDP and ICMP work perfectly to destinations on the other side of the firewall.

This is the only node on this network aside from pfsense.

cjlambiii

@KOM said in Malformed syn-ack:

TCP retransmissions are a symptom of the problem and not the cause. It could be cable, port, duplex mismatch...

Your capture shows the initial SYN from your server, and the top capture shows that it gets a SYN ACK back, but it doesn't reply with an ACK to finish the handshake (or at least not in the snippet you showed), so each end starts retransmitting. Do you have an IP address conflict, packet storm or switch loop going on? He's retransmitting his SYN ACKs, and you're replying with SYNs as if you're trying to start the handshake.

Those syn-acks are becoming rx_errors on the RPI which makes me think they are malformed packets.

KOM

Do a capture on pfSense LAN to see how those packets are leaving the interface to your Pi. Try and find where the breakdown happens.

cjlambiii

@KOM I already did. :) The syn-ack makes it to the switchport that the RPI is connected to. The RPI doesn't like the packet for some reason. Something is wrong with it.

KOM

So the packets are fine out LAN, but are seen as bad after being processed by the Pi NIC...? The traces you showed don't show any bad packets but your NIC stats show receive errors.

cjlambiii

I am beginning to wonder if it is the el'cheapo usb nic that I am using for the LAN interface. I've got a pcie nic arriving tonight.

The bottom line is this should work with all of the default settings out of the box right?

KOM

Yes.

cjlambiii

It was that miserable USB nic. I put the new pcie nic in and as soon as I powered it back on I was online.

cjlambiii

For what its worth it was a Sabernet 10/100 USB nic.

Derelict

"Don't use USB NICs."

"Why?"

"Reasons."

KOM

Yes, if you would have mentioned that the NIC was USB we would have zeroed in on it immediately. I just assumed you were using the NIC on your Pi.