Weird continuous icmp connection on pfSense

Sector8899 · Sep 1, 2020, 3:21 PM

I've noticed a very strange and long-lasting icmp connection on my pfsense box (192.168.1.1)

pfTop: Up State 1-100/2218 (2459), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
icmp      In  192.168.1.20:3075             192.168.1.1:3075                        0:0            75:45:51  00:00:09   545104 45788736

Apparently a server in my network has established this connection for 75 days, which is weird since the uptime of the server is only 3 days.

I also don't recognize the port 3075 it is using.

Of course, I can just drop this state from the states table, but I'm curious as to what it is exactly.

JKnott · Sep 1, 2020, 3:58 PM

@W5Ofwur1xtOmtk9ZBO

????

ICMP doesn't have connections. Each message stands alone. Also, it doesn't use ports, it uses message types.

Sector8899 · Sep 1, 2020, 4:01 PM

@JKnott ok thank you. Then what does this state in pfTop mean?

JKnott · Sep 1, 2020, 4:10 PM

@W5Ofwur1xtOmtk9ZBO

I don't know, I don't use pfTop.

johnpoz · Sep 1, 2020, 5:28 PM

pftop is just using the icmp ID as the port.. This is how it matches up return traffic to specific icmp IDs.. when you send a request, the reply will use the same ID..

Sector8899 · Sep 1, 2020, 7:03 PM

I have deleted the state, but it just comes back (on the same port).

Then I restarted the other server and the state is gone. However, there is a new ICMP one but on a different port. This time it's 1228 instead of 3075

login-to-view

So you're saying that's normal?

stephenw10 · Sep 1, 2020, 7:28 PM

What is that device at 192.168.1.20?

If you check the WAN you will see a similar old ICMP state that us pfSense pinging something to monitor the connection. I imagine that server is doing something similar.

Steve

johnpoz · Sep 1, 2020, 7:30 PM

@W5Ofwur1xtOmtk9ZBO said in Weird continuous icmp connection on pfSense:

. This time it's 1228 instead of 3075

Yeah because it changed the ID of the icmp request.. They are suppose to be random..

stephenw10 · Sep 1, 2020, 7:33 PM

@johnpoz said in Weird continuous icmp connection on pfSense:

They are suppose to be random..

Unless it's Windows....fun the first time you see a ping fail from Windows because another Windows device has already opened that state.

johnpoz · Sep 1, 2020, 7:39 PM

Well even if random that "could" happen.. If you have enough devices on the network doing pings.. It would be random chance that they ping with the same ID to cause a problem at the firewall.

But that could be a bit a pain to track down ;) Failed ping - whats in the state table would prob be the very last place I would look ;)

stephenw10 · Sep 1, 2020, 8:14 PM

Oh I've felt that pain!