Weird problem with system states

Hugovsky

@jimp:

What do your WAN rules look like?

You didn't do something crazy like put an allow all rule on the WAN did you? That would also cause abnormally high states because every packet that hits the WAN from some random IP will also get a state.

Would only take one good port scan to get you up very high.

No, I did not messed with wan rules. It's a clean install. Just added snort.

Hugovsky

I'll put here my log. If I shouldn't, please say or remove it.

icmp.txt

clarknova

That file shows 825 states. Some of them are icmp, others look like DNS requests (53), and the remainder to web sites (80 & 443), mostly google and pfsense-related sites.

Nothing really out of the ordinary there. The file with 11000 states would be more informative if it happens again. csv formatted would help too.

db

Hugovsky

Ok. I'll post it asap.

Hugovsky

Can't past more than 1000 lines to excel…. hummm..... strange problem. Anyway, here are the pictures. more than 9000. I'm just surfing the net. Have msn connected. And 3 tabs including this one. It seems to be a diferent number of states shown in the shell. Can I send you some log file or something?

Hugovsky

12601…

Hugovsky

I'm at 15004. Well, it seems that the problem with the lines is not in excel. The page that displays states, only shows 1000 lines. I've mailed the page to you clarknova. Sorry for that.

clarknova

No worries. Here's the csv of the first 1000 lines for public scrutiny. At first glance I see a lot of DNS traffic, a lot of connections to an IP address registered to Scott Ullrich, and connections to a machine on your LAN at port 443. Are you running a web server (https/ssl)?

Apparently I can't attach csv, so here's the csv file renamed as a txt.

With a couple people reporting this and both using 1.2.3-RC2, I wonder if it isn't a bug. Another thought looking at the csv is that there appear to be a lot of repeat entries, like connections are being multiplied.

I think one of you should file a bug report. See the link at the top of the forum pages.

db

states-pfsense.txt

Hugovsky

Yes. It's like if the firewall doesn't kill old connections. the 443 port is probably the connection to pfsense web server. I have no servers running. Only pfsense and 1 macbook. It's a home network. 192.168.50.1 is pfsense ip. 192.168.50.30 my macbook.  212.55.154.174, 212.55.154.190 my isp dns's.

ryates

@clarknova:

I think one of you should file a bug report. See the link at the top of the forum pages.

db

I must be blind  :) or one of my filters has kidnapped the link….. pray enlighten me....

IMO, the whole bug report process should be better advertised, as I have now searched and failed fool that I am...

ta,

ryts

jimp

Can you try to recreate the problem without any packages installed?

I'm curious to know if it happens on a stock system without any additions.

Also, the bug reporting system is in the process of being moved to here:

http://redmine.pfsense.org

jimp

OK, nevermind, I can reproduce this now.

Talked to another dev and he says it is likely from the recent (June 11th) patch for fixing multi-wan sticky connections and there is another patch to merge, but there is more testing to do first.

So it should be fixed before too long, and if you roll back to a snap before June 11th you should be OK for now.

eri--

Upgrade to a snapshot more recent than this post and it should start to behave ok.

Hugovsky

1.2.3-RC2
built on Sun Jun 14 00:15:01 EDT 2009

Same problem.

jimp

That snapshot is from early this morning, a new one has not yet been made.

Hugovsky

@jimp:

OK, nevermind, I can reproduce this now.

Talked to another dev and he says it is likely from the recent (June 11th) patch for fixing multi-wan sticky connections and there is another patch to merge, but there is more testing to do first.

So it should be fixed before too long, and if you roll back to a snap before June 11th you should be OK for now.

I'll wait for 1 more update. If it doesn't get fixed, I'll roll back. Thx all for the answers.

@jimp: Yes, I know. I've tryed it now just to see if it was already fixed. ;)

ryates

Thanks for the info - I have been on Jun 11 17:41:59 EDT 2009 as a workaround.

small matter: the updater informs  the latest version as "Sun Jun 14 05:33:50 EDT 2009" yet it is in fact a build from 00:15:xx or so.  Why the mismatch in the version file?

jimp

@ryates:

Thanks for the info - I have been on Jun 11 17:41:59 EDT 2009 as a workaround.

small matter: the updater informs  the latest version as "Sun Jun 14 05:33:50 EDT 2009" yet it is in fact a build from 00:15:xx or so.  Why the mismatch in the version file?

Probably a mismatch of time zones, GMT vs. local time.

ryates

Ah yes, of course.  Devs might fix that, though it is trivial.

Bern

I was having the problem with states during the week.

I've updated to:

1.2.3-RC2
built on Sun Jun 14 18:15:10 EDT 2009

and it looks like it's fixed now.