Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP:SAE

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 85 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kojol
      last edited by

      Hello,

      i am running into TCP:SAE issus with my network and dont have any ideas how to proceed on it / ran out of ideas.

      Firewall log says:
      Default deny rule IPv4 (10000000103)
      source: ip:8009
      destination: ip:56473
      protocol: TCP:SAE

      appreciate some help or tips.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @kojol
        last edited by

        @kojol A syn,ack block points to asymmetrical traffic flow..

        S = SYN
        A = ACK
        E = ECE

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#asymmetric-routing

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        K 1 Reply Last reply Reply Quote 0
        • K Offline
          kojol @johnpoz
          last edited by

          thank your for replying to my post.

          "In asymmetric routing scenarios, there is an option in the firewall GUI which can be used to prevent legitimate traffic from being dropped"
          --> this is already in place

          alt text

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @kojol
            last edited by

            @kojol Why would your traffic be asymmetrical.. That is your problem - fix the asymmetrical flow..

            So I take it your client is 10.3 and he is sending his syn to this 10.2 box on port 8009 - but that did not flow through pfsense, if it did pfsense would create a state and allow the return traffic (syn,ack).

            You have a masking problem, you have common L2?

            When you create segmentation in your network, traffic should flow through pfsense in both directions. If pfsense sees some syn,ack and it never saw the syn to open the state then yeah your traffic would be blocked.

            If your segments are properly isolated there should be no way possible for 10.3 to talk to your other segment at 10.2 without flowing through pfsense. And same goes for the return traffic.

            Do have a common L2 network, and a mismatch mask.. Where your client on 10.3 thinks 10.2 is on its network and just sends the traffic there directly. But your device on 10.2 thinks 10.3 is a different network so sends its reply (sa) to pfsense..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.