Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    kernel: [zone: pf frag entries] PF frag entries limit reached (maximum fragment entries exceeded)

    General pfSense Questions
    3
    6
    1255
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erzkristall23 last edited by

      I'm occasionally getting this error when the network activity is high. It interrupts WAN for about a minute when it occurs.

      kernel: [zone: pf frag entries] PF frag entries limit reached
      

      The docs claim I need to increase the Firewall Maximum Fragment Entries.

      https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-fragment-entries

      I increased this from 5000 to 60000, but it still occasionally occurs.

      What is the best way of monitoring for these kinds of relatively rare events (perhaps 2-3 times a month)?

      Specs:

      Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz
      4 CPUs: 1 package(s) x 2 core(s) x 2 hardware threads
      AES-NI CPU Crypto: Yes (active)
      8 GB RAM
      2.5.1-RELEASE (amd64)
      Intel I350-T2
      
      KOM 1 Reply Last reply Reply Quote 0
      • KOM
        KOM @erzkristall23 last edited by

        @erzkristall23 I don't have a specific answer to your problem but JimP posted this a few years ago:

        *Ideally you should be located the cause of the high fragmentation and fixing that, rather than upping the limit.

        For example if you are sending far too many "too large" packets via IPsec then it will easily spill over, but if you setup MSS clamping for the IPsec VPN to help reduce the packet size of VPN traffic, things will be much better off.*

        E 1 Reply Last reply Reply Quote 0
        • E
          erzkristall23 @KOM last edited by

          @kom Thanks for this information, but how can I best monitor fragmented traffic and figure out the causes of it? It seems to be very rare bursts because most of the time the fragment counter in pfinfo does not increase.

          KOM 1 Reply Last reply Reply Quote 0
          • KOM
            KOM @erzkristall23 last edited by

            @erzkristall23 I don't know. I've never run into this situation before. As for rare bursts, I'm wondering if it's that or if it's somehow accumulating these over time. Perhaps taking a trace from WAN every now and then and checking it in Wireshark might show some weirdness.You could read up on MTU, MSS and IP fragmentation to see if that might apply to your situation. Is there anything unusual about your configuration? Multi-WAN? Any IDS/IPS?

            E 1 Reply Last reply Reply Quote 0
            • dotdash
              dotdash last edited by

              I suspect this is a regression. I'm seeing this error on a system I upgraded to 2.5.1. Never saw the error on previous versions, and it's a small network. The error is sometimes logged at times when there is nearly no traffic (3 am, 11pm etc)

              1 Reply Last reply Reply Quote 0
              • E
                erzkristall23 @KOM last edited by

                @KOM The configuration has has grown more complex recently (several VLANs), but the kernel error has occurred before that even with a very basic configuration. There are some unusual devices on the network, e.g. two internal pairs of DSL modems for bridging two long distances, and some dubious switches, but so far, I could not correlate activity via these connections with the outages. I am sometimes connected via OpenVPN, but I could also not perceive a clear correlation with activity on that connection and outages.

                @dotdash For me it only occurs during rush hours, and I experienced it even on 2.5.0.

                I am now going to make tcpdump log the sender and receiver IP addresses of fragmented packages. Maybe that will give me some hints.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post