kernel: [zone: pf frag entries] PF frag entries limit reached (maximum fragment entries exceeded)
-
I'm occasionally getting this error when the network activity is high. It interrupts WAN for about a minute when it occurs.
kernel: [zone: pf frag entries] PF frag entries limit reachedThe docs claim I need to increase the Firewall Maximum Fragment Entries.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-fragment-entries
I increased this from 5000 to 60000, but it still occasionally occurs.
What is the best way of monitoring for these kinds of relatively rare events (perhaps 2-3 times a month)?
Specs:
Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz 4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads AES-NI CPU Crypto: Yes (active) 8 GB RAM 2.5.1-RELEASE (amd64) Intel I350-T2 -
@erzkristall23 I don't have a specific answer to your problem but JimP posted this a few years ago:
*Ideally you should be located the cause of the high fragmentation and fixing that, rather than upping the limit.
For example if you are sending far too many "too large" packets via IPsec then it will easily spill over, but if you setup MSS clamping for the IPsec VPN to help reduce the packet size of VPN traffic, things will be much better off.*
-
@kom Thanks for this information, but how can I best monitor fragmented traffic and figure out the causes of it? It seems to be very rare bursts because most of the time the fragment counter in pfinfo does not increase.
-
@erzkristall23 I don't know. I've never run into this situation before. As for rare bursts, I'm wondering if it's that or if it's somehow accumulating these over time. Perhaps taking a trace from WAN every now and then and checking it in Wireshark might show some weirdness.You could read up on MTU, MSS and IP fragmentation to see if that might apply to your situation. Is there anything unusual about your configuration? Multi-WAN? Any IDS/IPS?
-
I suspect this is a regression. I'm seeing this error on a system I upgraded to 2.5.1. Never saw the error on previous versions, and it's a small network. The error is sometimes logged at times when there is nearly no traffic (3 am, 11pm etc)
-
@KOM The configuration has has grown more complex recently (several VLANs), but the kernel error has occurred before that even with a very basic configuration. There are some unusual devices on the network, e.g. two internal pairs of DSL modems for bridging two long distances, and some dubious switches, but so far, I could not correlate activity via these connections with the outages. I am sometimes connected via OpenVPN, but I could also not perceive a clear correlation with activity on that connection and outages.
@dotdash For me it only occurs during rush hours, and I experienced it even on 2.5.0.
I am now going to make tcpdump log the sender and receiver IP addresses of fragmented packages. Maybe that will give me some hints.
