Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird continuous icmp connection on pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 4 Posters 884 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sector8899
      last edited by

      I've noticed a very strange and long-lasting icmp connection on my pfsense box (192.168.1.1)

      pfTop: Up State 1-100/2218 (2459), View: default, Order: bytes
      PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
      icmp      In  192.168.1.20:3075             192.168.1.1:3075                        0:0            75:45:51  00:00:09   545104 45788736
      

      Apparently a server in my network has established this connection for 75 days, which is weird since the uptime of the server is only 3 days.

      I also don't recognize the port 3075 it is using.

      Of course, I can just drop this state from the states table, but I'm curious as to what it is exactly.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @Sector8899
        last edited by

        @W5Ofwur1xtOmtk9ZBO

        ????

        ICMP doesn't have connections. Each message stands alone. Also, it doesn't use ports, it uses message types.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        S 1 Reply Last reply Reply Quote 0
        • S
          Sector8899 @JKnott
          last edited by

          @JKnott ok thank you. Then what does this state in pfTop mean?

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Sector8899
            last edited by

            @W5Ofwur1xtOmtk9ZBO

            I don't know, I don't use pfTop.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              pftop is just using the icmp ID as the port.. This is how it matches up return traffic to specific icmp IDs.. when you send a request, the reply will use the same ID..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 1
              • S
                Sector8899
                last edited by

                I have deleted the state, but it just comes back (on the same port).

                Then I restarted the other server and the state is gone. However, there is a new ICMP one but on a different port. This time it's 1228 instead of 3075

                4c510b93-9b9b-4f8f-af16-89df37a73bfd-image.png

                So you're saying that's normal?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  What is that device at 192.168.1.20?

                  If you check the WAN you will see a similar old ICMP state that us pfSense pinging something to monitor the connection. I imagine that server is doing something similar.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Sector8899
                    last edited by

                    @W5Ofwur1xtOmtk9ZBO said in Weird continuous icmp connection on pfSense:

                    . This time it's 1228 instead of 3075

                    Yeah because it changed the ID of the icmp request.. They are suppose to be random..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    stephenw10S 1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator @johnpoz
                      last edited by

                      @johnpoz said in Weird continuous icmp connection on pfSense:

                      They are suppose to be random..

                      Unless it's Windows....fun the first time you see a ping fail from Windows because another Windows device has already opened that state. ๐Ÿ™„

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Well even if random that "could" happen.. If you have enough devices on the network doing pings.. It would be random chance that they ping with the same ID to cause a problem at the firewall.

                        But that could be a bit a pain to track down ;) Failed ping - whats in the state table would prob be the very last place I would look ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Oh I've felt that pain! ๐Ÿ˜‰

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.