TCP connections being closed with no traffic

stbellcom

We am having issues with a site that is running a 6100 with Dual WAN intermittently unable to access webpages.

As a example running curl to acb.netgate.com we will get:

[23.05-RELEASE][admin@NETG.home.arpa]/root: curl https://acb.netgate.com
curl: (7) Failed to connect to acb.netgate.com port 443 after 7 ms: Couldn't connect to server

TCP capture at the time will print the following:

11:21:23.571651 IP 100.67.70.132.19567 > 208.123.73.212.https: Flags [S], seq 4028739374, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 3134883270 ecr 0], length 0

We can try again and it will work then block again at random. Also it doesn't matter which site its effecting any site.

What we have tried, is disabling the Dual WAN to a single connection and removing load balancing and the problem continues. We have also simplified the firewall rules to the base and checking the logs shows the packet left the Netgate without a issue.

Does anyone have suggestions as to what could be going wrong or a suggestion to test if its the Netgate blocking the request or something further upstream ?

Thanks

viragomann

@stbellcom said in TCP connections being closed with no traffic:

As a example running curl to acb.netgate.com we will get:

[23.05-RELEASE][admin@NETG.home.arpa]/root: curl https://acb.netgate.com
curl: (7) Failed to connect to acb.netgate.com port 443 after 7 ms: Couldn't connect to server

Is this form pfSense itself or from a device behind it?

Is this pfSense in an HA setup?

Are you running squid?

State public IPs for the gateway monitoring and check then the gateway log if there are dropouts.

stephenw10

That's a TCP connection failing to open. There is no reply traffic at all if you only see the single TCP:SYN packet in a pcap.

Do existing connections also get dropped or is it just new connections that fail?

stbellcom

@viragomann

The tests above were done from the pfSense.

We aren't running in HA configuration.

Squid is not installed.

Monitoring IP for the gateways are currently 1.1.1.1 & 8.8.8.8 and there are no logs that the gateway have dropped out.

When this is happening you can still trace out of each pppoe interface without a issue.

stbellcom

@stephenw10

existing connections stay active, its just new connections that fail. After a few retries you might get a connection.

stephenw10

@stbellcom said in TCP connections being closed with no traffic:

11:21:23.571651 IP 100.67.70.132.19567 > 208.123.73.212

Is that the real IP? You're behind CGN?

Perhaps there is a state limit upstrean you're hitting? Check the number of states when it fails. Or look at the states in the Monitoring graphs, is it hitting some limit?

Steve

stbellcom

@stephenw10

We are behind CGN which I suspect could be causing all sorts of issues. Will be contacting the ISP today to get the connections off it.

stbellcom

Getting off CGNAT solved the issue, connection is solid now.