Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Over 9000 established states from single host with long expiration time

    Off-Topic & Non-Support Discussion
    1
    1
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tekkon
      last edited by

      My xubuntu desktop running only firefox browser, pidgin IM and deluge torrent client is using up all the state table. All the states have long expiration duration so it's hogging the state table causing other hosts unable to open webpages because all states are used up (10,000).

      I thought it was the torrent client making all these connection and I shut it down but the problem persists. I ran netstat on the host but there's very few connections to be suspicious. This is part of my pftop capture on my pfSense 1.2.2 box:

      pfTop: Up State 6301-6335/10006, View: default, Order: none, Cache: 10000                                            17:04:06

PR        DIR SRC                      DEST                              STATE                AGE       EXP     PKTS    BYTES
tcp       In  10.11.12.31:45669        76.73.16.197:36026       ESTABLISHED:ESTABLISHED  03:04:02  04:56:28       16     2157
tcp       Out 10.11.12.31:45669        76.73.16.197:36026       ESTABLISHED:ESTABLISHED  03:04:02  04:56:28       16     2157
tcp       In  10.11.12.31:47384        76.73.16.88:7026         ESTABLISHED:ESTABLISHED  03:04:00  04:56:40       15     2098
tcp       Out 10.11.12.31:47384        76.73.16.88:7026         ESTABLISHED:ESTABLISHED  03:04:00  04:56:40       15     2098
tcp       In  10.11.12.31:42032        74.63.109.80:19026       ESTABLISHED:ESTABLISHED  03:04:00  04:56:13       15     2096
tcp       Out 10.11.12.31:42032        74.63.109.80:19026       ESTABLISHED:ESTABLISHED  03:04:00  04:56:13       15     2096
tcp       In  10.11.12.31:51877        76.73.15.8:7026          ESTABLISHED:ESTABLISHED  03:03:59  04:56:21       15     2099
tcp       Out 10.11.12.31:51877        76.73.15.8:7026          ESTABLISHED:ESTABLISHED  03:03:59  04:56:21       15     2099
tcp       In  10.11.12.31:58745        76.73.16.66:25026        ESTABLISHED:ESTABLISHED  03:03:59  04:56:24       15     2105
tcp       Out 10.11.12.31:58745        76.73.16.66:25026        ESTABLISHED:ESTABLISHED  03:03:59  04:56:24       15     2105
tcp       In  10.11.12.31:41252        74.63.110.112:21026      ESTABLISHED:ESTABLISHED  03:03:58  04:55:54       15     2094
tcp       Out 10.11.12.31:41252        74.63.110.112:21026      ESTABLISHED:ESTABLISHED  03:03:58  04:55:54       15     2094
tcp       In  10.11.12.31:49680        76.73.15.235:34026       ESTABLISHED:ESTABLISHED  03:03:57  04:56:24       15     2089
tcp       Out 10.11.12.31:49680        76.73.15.235:34026       ESTABLISHED:ESTABLISHED  03:03:57  04:56:24       15     2089
tcp       In  10.11.12.31:38311        74.63.109.105:14026      ESTABLISHED:ESTABLISHED  03:03:57  04:56:39       15     2097
tcp       Out 10.11.12.31:38311        74.63.109.105:14026      ESTABLISHED:ESTABLISHED  03:03:57  04:56:39       15     2097
tcp       In  10.11.12.31:56997        76.73.16.87:6026         ESTABLISHED:ESTABLISHED  03:03:54  04:56:26       15     2098
tcp       Out 10.11.12.31:56997        76.73.16.87:6026         ESTABLISHED:ESTABLISHED  03:03:54  04:56:26       15     2098
tcp       In  10.11.12.31:49237        74.63.109.71:10026       ESTABLISHED:ESTABLISHED  03:03:53  04:56:08       15     2096
tcp       Out 10.11.12.31:49237        74.63.109.71:10026       ESTABLISHED:ESTABLISHED  03:03:53  04:56:08       15     2096
tcp       In  10.11.12.31:40281        76.73.14.15:14026        ESTABLISHED:ESTABLISHED  03:03:53  04:56:36       15     2097
tcp       Out 10.11.12.31:40281        76.73.14.15:14026        ESTABLISHED:ESTABLISHED  03:03:53  04:56:36       15     2097
tcp       In  10.11.12.31:54998        74.63.111.9:17002        ESTABLISHED:ESTABLISHED  03:03:49  04:56:05       15     2096
tcp       Out 10.11.12.31:54998        74.63.111.9:17002        ESTABLISHED:ESTABLISHED  03:03:49  04:56:05       15     2096
tcp       In  10.11.12.31:44651        76.73.15.5:4026          ESTABLISHED:ESTABLISHED  03:03:49  04:56:43       15     2096
tcp       Out 10.11.12.31:44651        76.73.15.5:4026          ESTABLISHED:ESTABLISHED  03:03:49  04:56:43       15     2096
tcp       In  10.11.12.31:34147        76.73.17.17:16026        ESTABLISHED:ESTABLISHED  03:03:49  04:56:46       15     1732
tcp       Out 10.11.12.31:34147        76.73.17.17:16026        ESTABLISHED:ESTABLISHED  03:03:49  04:56:46       15     1732
tcp       In  10.11.12.31:40225        76.73.15.109:28026       ESTABLISHED:ESTABLISHED  03:03:48  04:56:37       15     2099
tcp       Out 10.11.12.31:40225        76.73.15.109:28026       ESTABLISHED:ESTABLISHED  03:03:48  04:56:37       15     2099
tcp       In  10.11.12.31:45700        74.63.108.164:13026      ESTABLISHED:ESTABLISHED  03:03:48  04:56:52       15     2099
tcp       Out 10.11.12.31:45700        74.63.108.164:13026      ESTABLISHED:ESTABLISHED  03:03:48  04:56:52       15     2099
tcp       In  10.11.12.31:55581        74.63.110.108:17026      ESTABLISHED:ESTABLISHED  03:03:47  04:56:13       15     2089
tcp       Out 10.11.12.31:55581        74.63.110.108:17026      ESTABLISHED:ESTABLISHED  03:03:47  04:56:13       15     2089
tcp       In  10.11.12.31:53960        74.63.110.44:13026       ESTABLISHED:ESTABLISHED  03:03:46  04:57:32       17     2208

      I noticed that most connections are to port number ##026 on the remote host. 10.11.12.31 is my desktop. I reseted the states but in a short while they're back again. My bsd/linux and networking skills are only the basics. I need help finding out what is causing all these connections.

      Edit: Found out it was the torrent client creating these connections. Reduced it by lowering half-open connections from 100 to 20.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post