Weird problem with system states
-
I'm having a problem with states table. Web interfave shows lots of them but, with pftop, everything seems right. Is it me or there's something wrong here?
Last snapshot, full install, 512 MB p3 1000Mhz. Doing pppoe thru bridged router.
-
Have you clicked on the "show states" link to see what they are? 11000+ looks like a lot to me, but I only run pfsense at home. 11000 would be rather normal on a large network (and conceivable on even a simple home network with a bunch of torrents running). So what's your situation? What do the bulk of those states look like?
db
-
I've turned off all my computers. It's a home network. Before the update, states didn't pass 100-200. No torrents or downloads.
I've updated to lastest snapshot, and the problem seems to have desappeared. 2009-06-13-0944.
I have another pfsense box that serves 5 wireless access points for 300+ computers. In that box it's normal to have 9000-10000 states. But in my home, I've never saw it above 600. Anyway, it seems normal, now. if I get this again, I'll post it again.
-
As clarknova was saying, you need to go to Diagnostics > States, and view the state count/list there.
Odds are, you had something on your network which was making a lot of connections (and Bittorrent will do this, among others), or something with a virus, etc.
-
My states shows what's in the picture. My only connected computer is my macbook. Despite the number, states shown on the page don't seem to be more than 40 ou 50.
-
A virus was my first guess. I've tryed all computers shut down and use freenas console to connect to pfsense and it's the same. Something is creating states… It started with the fresh install of http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/updates/pfSense-Full-Update-1.2.3-20090612-0600.tgz
Would it help if I posted complete log with ip?
-
What do your WAN rules look like?
You didn't do something crazy like put an allow all rule on the WAN did you? That would also cause abnormally high states because every packet that hits the WAN from some random IP will also get a state.
Would only take one good port scan to get you up very high.
-
There is a states problem on my box as well, 1.2.3-RC2 built on Sat Jun 13 09:44:26 EDT 2009.
States climb to over the 10000 limit for no reason. Bug it seems.
ryts
-
What do your WAN rules look like?
You didn't do something crazy like put an allow all rule on the WAN did you? That would also cause abnormally high states because every packet that hits the WAN from some random IP will also get a state.
Would only take one good port scan to get you up very high.
No, I did not messed with wan rules. It's a clean install. Just added snort.
-
I'll put here my log. If I shouldn't, please say or remove it.
-
That file shows 825 states. Some of them are icmp, others look like DNS requests (53), and the remainder to web sites (80 & 443), mostly google and pfsense-related sites.
Nothing really out of the ordinary there. The file with 11000 states would be more informative if it happens again. csv formatted would help too.
db
-
Ok. I'll post it asap.
-
Can't past more than 1000 lines to excel…. hummm..... strange problem. Anyway, here are the pictures. more than 9000. I'm just surfing the net. Have msn connected. And 3 tabs including this one. It seems to be a diferent number of states shown in the shell. Can I send you some log file or something?
-
12601…
-
I'm at 15004. Well, it seems that the problem with the lines is not in excel. The page that displays states, only shows 1000 lines. I've mailed the page to you clarknova. Sorry for that.
-
No worries. Here's the csv of the first 1000 lines for public scrutiny. At first glance I see a lot of DNS traffic, a lot of connections to an IP address registered to Scott Ullrich, and connections to a machine on your LAN at port 443. Are you running a web server (https/ssl)?
Apparently I can't attach csv, so here's the csv file renamed as a txt.
With a couple people reporting this and both using 1.2.3-RC2, I wonder if it isn't a bug. Another thought looking at the csv is that there appear to be a lot of repeat entries, like connections are being multiplied.
I think one of you should file a bug report. See the link at the top of the forum pages.
db
-
Yes. It's like if the firewall doesn't kill old connections. the 443 port is probably the connection to pfsense web server. I have no servers running. Only pfsense and 1 macbook. It's a home network. 192.168.50.1 is pfsense ip. 192.168.50.30 my macbook. 212.55.154.174, 212.55.154.190 my isp dns's.
-
I think one of you should file a bug report. See the link at the top of the forum pages.
db
I must be blind :) or one of my filters has kidnapped the link….. pray enlighten me....
IMO, the whole bug report process should be better advertised, as I have now searched and failed fool that I am...
ta,
ryts
-
Can you try to recreate the problem without any packages installed?
I'm curious to know if it happens on a stock system without any additions.
Also, the bug reporting system is in the process of being moved to here:
http://redmine.pfsense.org
-
OK, nevermind, I can reproduce this now.
Talked to another dev and he says it is likely from the recent (June 11th) patch for fixing multi-wan sticky connections and there is another patch to merge, but there is more testing to do first.
So it should be fixed before too long, and if you roll back to a snap before June 11th you should be OK for now.
-
Upgrade to a snapshot more recent than this post and it should start to behave ok.
-
1.2.3-RC2
built on Sun Jun 14 00:15:01 EDT 2009Same problem.
-
That snapshot is from early this morning, a new one has not yet been made.
-
OK, nevermind, I can reproduce this now.
Talked to another dev and he says it is likely from the recent (June 11th) patch for fixing multi-wan sticky connections and there is another patch to merge, but there is more testing to do first.
So it should be fixed before too long, and if you roll back to a snap before June 11th you should be OK for now.
I'll wait for 1 more update. If it doesn't get fixed, I'll roll back. Thx all for the answers.
@jimp: Yes, I know. I've tryed it now just to see if it was already fixed. ;)
-
Thanks for the info - I have been on Jun 11 17:41:59 EDT 2009 as a workaround.
small matter: the updater informs the latest version as "Sun Jun 14 05:33:50 EDT 2009" yet it is in fact a build from 00:15:xx or so. Why the mismatch in the version file?
-
Thanks for the info - I have been on Jun 11 17:41:59 EDT 2009 as a workaround.
small matter: the updater informs the latest version as "Sun Jun 14 05:33:50 EDT 2009" yet it is in fact a build from 00:15:xx or so. Why the mismatch in the version file?
Probably a mismatch of time zones, GMT vs. local time.
-
Ah yes, of course. Devs might fix that, though it is trivial.
-
I was having the problem with states during the week.
I've updated to:
1.2.3-RC2
built on Sun Jun 14 18:15:10 EDT 2009and it looks like it's fixed now.
-
I was having the problem with states during the week.
I've updated to:
1.2.3-RC2
built on Sun Jun 14 18:15:10 EDT 2009and it looks like it's fixed now.
With the latest snap my test box also appears to be normal. I haven't reflashed my embedded box yet, the new snap just appeared for that a couple minutes ago.
-
Just updated. I'll post the results asap.
-
The problem seems gone. I have now 98 states. Thx for fixing it. ;)
-
My states are also back to normal on my embedded box.
Thank ermal for fixing it, he's the one who put the patch in that corrected it :)
