Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FIN_WAIT_2:ESTABLISHED and ESTABLISHED:FIN_WAIT_2

    Firewalling
    1
    1
    4.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • belleraB
      bellera
      last edited by

      Hello!

      I've been using pfSense for 4 years. I had only 3 times problems with states. The first was caused by P2P traffic, the second by a Troyan (at one workstation) and the last (now) for a strange problem with TCP sessions.

      #uname -a
FreeBSD myfirewall 7.2-RELEASE-p5 FreeBSD 7.2-RELEASE-p5 #0: Mon Dec  7 23:21:27 EST 2009     sullrich@FreeBSD_7.2_pfSense_1.2.3_snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_wrap.7.i386  i386

      For my squid proxy server (in a separate box of pfSense) pftop shows many FIN_WAIT_2 states like:

      PR        DIR SRC                      DEST                              STATE                AGE       EXP     PKTS    BYTES
tcp       In  192.168.XXX.YYY:60011      AAA.BBB.CCC.DDD:443       ESTABLISHED:FIN_WAIT_2   24:54:49  00:12:43      564   211421
tcp       Out 192.168.XXX.YYY:60011      AAA.BBB.CCC.DDD:443        FIN_WAIT_2:ESTABLISHED  24:54:49  00:12:43      564   211421

      The problem reappears also with our webserver box:

      PR        DIR SRC                      DEST                              STATE                AGE       EXP     PKTS    BYTES
tcp       In  AAA.BBB.CCC.DDD:1546          192.168.XXX.YYY:80          FIN_WAIT_2:ESTABLISHED  00:35:59  00:12:24       30     5132
tcp       Out AAA.BBB.CCC.DDD:1546          192.168.XXX.YYY:80         ESTABLISHED:FIN_WAIT_2   00:35:59  00:12:24       18     2864

      At both cases the states can have more than 24 hours (tcp.established, 86400 s) because sometimes the closing communication has a one packet and the 15 min (900 s) tcp.closing counter restarts.

      #pfctl -s timeouts
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

      If the TCP connection is in FIN_WAIT_2, FreeBSD may send out ACKs periodicly, trying to nudge the other side to send a FIN to finish closing the connection.

      http://lists.freebsd.org/pipermail/freebsd-questions/2005-March/081607.html

      I arrived to minimize the problem:

      half_closed_clients off
      At squid proxy server
      http://www.squid-cache.org/Doc/config/half_closed_clients/
      http://squid-web-proxy-cache.1019090.n4.nabble.com/half-closed-clients-Policy-Change-td1049520.html

      Disabling the SIP Firewall function at DPC3825 Cisco router
      WAN is connected to this model of router.
      http://www.cisco.com/web/consumer/support/modem_DPC3825.html
      I don't understand why but disabling it I have less problems.

      pfSense is running with normal Firewall Optimization Options.

      Our squid and webserver are also FreeBSD systems.

      Any idea?

      Thanks in advance,

      Josep Pujadas

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.