TCP:FA, TCP:FPA blocked is it Asymetric Routing?
-
I see those "deny's" when ie. my laptop has been in sleep for a period.
My guess is that the laptop ie. has a tcp connection to my e-mail server , goes to sleep , and then wakes up and try to resume (continue) the "old" tcp connection.
But the firewall state has "timed out" , making the "old tcp" connection invalid.
And the firewall "barfs" loudly ....The laptop eventually just makes a new (valid) tcp connection.
I have no asymmetric routing possibilities in my internal pfSense lan connections. Well as long as i don't use WiFi and cabled network at the same time on the laptop.
/Bingo
-
Thanks for the reply. I would expect the stale states from hosts that went to sleep, etc., but in my case, the hosts are all 24x7.
It just seems odd to generate so many "deny" logs... they just add noise to the value of the logs.
Is there a way to determine exactly what is happening? ie. I'm guessing it's state problem, but how do I know if I'm right?
Thanks again!
-
@msmcknight said in TCP:FA, TCP:FPA blocked is it Asymetric Routing?:
but how do I know if I'm right?
Are you states resetting - I think they are set to do that on loss of wan out of the box, etc.
-
How can I tell if they are resetting? They don't have timestamps to compare to from one sample to another.
There has been no loss of WAN in this lab. Is the "loss-of'wan-reset" an option somewhere in the admin gui?
Thanks!
-
This is an Android TV Box (24/7 on time). That the wife uses in the summerhouse kitchen , connected to a 23" HDMI TouchScreen ... A "Giant Tablet" for recipes.
It loves to babble "Home to Google" , and is sometimes slower than the state timeout (or just silent). I have no worries ...
Except it's an old Android version .. Would love to update , but i have been bitten by "Stock boxes" not having the "touch driver" that recognize the Monitors USB touch interface. And wo. touch-if the Wife is not happy.
Well i confined it to the Phone Vlan , that is super restricted in the access to other vlans.
Would have loved to replace it with a Linux Box , but Linux & Touch .... sucks a lot.
/Bingo
-
@msmcknight said in TCP:FA, TCP:FPA blocked is it Asymetric Routing?:
How can I tell if they are resetting?
you should see an entry in the log.. Do you see any log entries for wan issues about response time for your monitor, action being taken, etc. Do you have them set to reset on wan issue?
-
I don't have "State Killing" turned on. It looks like the default is "off" and I've never messed with it. I also don't see any log messages related to gateway loss.
One interesting thing I just noticed is that the blocked packets happen "on-the-clock"...
They are happening exactly at the top of the hour. Sometimes it's every hour, sometimes it's every two hours, but in every case it's at the top of the hour.
That seems a bit programmatic to me. Is there a setting somewhere that tells the firewall to do something every 60 minutes with respect to states?
-
@msmcknight said in TCP:FA, TCP:FPA blocked is it Asymetric Routing?:
every 60 minutes with respect to states?
not unless you have created a schedule to do that.
https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html#time-based-rules
By default, states are cleared for active connections permitted by a scheduled rule when the schedule expires. This shuts down access for anyone allowed by the rule while it was active. To allow these connections to remain open, check Do not kill connections when schedule expires under System > Advanced on the Miscellaneous tab.
-
No, I've not done anything like that. This is a fresh install with minimal setup.
I'm guessing that it has to do with states since the logs showing the blocked attempts seem to match those of a stale state, but happen like clock work. For example:
(Apologizes for the picture. The forum kept marking my log entries as spam and wouldn't let me post this reply with them)
Again, I'm only guessing these are state-related given the other messages in the forums showing similar logs and complaints. I wouldn't be so worried about them if they weren't cluttering up the logs with so much noise.
Thank you
-
Friendly bump here... anyone have any idea as to what would lead to the odd on-the-hour occurrence of these log entries?
Thank you
