All tcp connections drop after 30 seconds - route based rules

  • i am using pfsense 1.2.2 as a virtual machine firewall to create a dmz in a box to protect my database server from my lan.  my wan interface is setup as and my lan interface, which is the dmz, is setup as  i have the firewall configured as a route based firewall and i am not using nat.

    everything is working properly except all tcp connections from the wan to the lan drop after about 30 seconds.  ping however continues to work which elminates an issue with the vmware vswitches (according to vmware).  when i look at the state in the firewall it shows the connection from the wan device to the lan device and from the lan device back to the wan device as established.  i found the post below which seems to be a very simliar problem however i do not have the skills to debug the firewall programming.  also, in the post below they indicate the state is dropping however my state indicates its established.,18001.msg92807.html#msg92807

  • after further testing, it appears the cause is the physical juniper firewall that is routing the subnet traffic to the pfsense interface of which then routes the traffic to subnet.  the physical juniper firewall is logging the route based traffic, but does not see any bytes being received so it kills the session.  i will update this again with my lessons learned from the physical firewall.

  • according to my physical firewall vendor, juniper, the issue is ack knowledge packets are not being sent back from the virtual server located in the pfsense lan.  vmware refers to this setup as a dmz in a box.  if anyone has any thoughts on why ack packets are not being sent back that would be great!

    here is a run down on my setup.

    physical firewall juniper ns25
    trust / lan subnet
    physical lan interface
    static route to GW
    physical laptop =

    virtual firewall pfsense 1.2.2 wan lan
    wan interface = (vswitch1-lan)
    lan interface  = (vswitch2-dmz)
    virtual db server = (vswitch2-dmz)

    vswitch2-dmz can continously ping and vice versa
    any tcp connections from to get cut off after about 20 seconds.  so for example you can telnet from to, login into the server and run commands successfully until the physical firewall kills the session after not receiving a ack.

    juniper confirmed this was the issue by turning off seq and syn checks.  after turning these off everything works correctly, however juniper strongly warned me this was not safe to leave as is.

  • I must be misunderstanding something.  If acks are not being sent back, how can TCP possibly work?

  • a lot of this is new to me so i am trying to figure this out as i go, so it seems on the netscreen i have asymmetric routing so a session is created on the netcreen firewall when the traffic is routed to the subnet.  for some reason the netscreen is not recognizing traffic coming back from as being associated with the traffic being initiated from  So the incoming packets which do not match a current session must have the SYN bit set but i dont think the SYN bit is checked?  so basically after 20 seconds the netscreen decides the traffic is a potential threat and it kills the session / drops the packets.

    i found this link which is simliar to my issue but not identical.;jsessionid=812CA71E78EE7FE7199DFA5068FC509A


  • well, this is not good.  asymmetric routing like this is really a bad idea.  why does it need to be that way?

  • so the more i read about Asymmetric Routing, which is very common in larger networks, i dont think it applies to my scenario in the textbook sense.  i really dont have 2 paths for traffic to travel as in most examples of Asymmetric Routing for example balancing two isp connections with 2 routers.  the traffic only flows from the intiating device to to the route to to the server for some reason the traffic coming back from to to to to the intial device is not appearing to juniper as the same session when it flows through.

  • ASR is almost never used when there is some kind of state-tracking firewall between the two hosts.  I am not sure of the packet flow, but i am guessing that what is happening is that input tcp packets are entering from a different interface than the one the routing table on the receiving host says to use for the return packets.  fixing this (somehow) would be a good idea.