TCP connection problems.



  • Hello everybody,

    Here is a schema of the network solution we just put in production :

    INTERNET
                  |
                  |
              Router –--- Network A (10.X.0.0/8)
                  |
                  |
    Interconnection (192.168.224.65/28)
                  |
                  |
               CARP A
              /         \  
             /          
            /  pfSync  
    PFSense 1 <---> PFSense 2
            \             /
             \           /
              \         /
               CARP B
                  |
                  |
       Network B (10.Y.0.0/8)

    My problem is that the firewall actually blocks a lot of packets with TCP P, PA, and some of FA, R, RA.
    This is annoying because it breaks TCP sessions like LDAP, IMAP and SSH.

    After a search on "our friend" and the forum, i changed the firewall mode to conservative, but there is always PA packets blocked that breaks TCP sessions.
    I also found that it could be a problem of asymmetric routing, but i don't think it's the problem here.

    Does anyone have a clue ?

    Information on the system :
    Version : 2.1-DEVELOPMENT  (i386) (for IPv6 support)
    Build : built on Wed Aug 24 23:56:55 EDT 2011



  • Hi,

    try with an other Firewall-State:

    FIREWALL -> Rules -> Edit the rules for ldap, imap und ssh and then go to advanced features and State Type = none



  • Hello,

    Thanks for your reply !

    I tried with a "state type" of none and only the TCP:S was authorized (every other state is blocked).
    By the way, i also tried the state type of "sloppy" and th TCP:PA were blocked too… :(

    Do you have another suggestion ?
    Can i give you more information to help me ?

    Thanks in advance !



  • I am sorry.

    Not sure, if the firewall Stae was pointing you to the right direction. I am not familar with CARP and perhaps this is really a routing issue.

    Perhaps you could try without carp and just use one pfsense box and test if you have the same problems like now.



  • Trying without CARP will be hard to try, but i will as soon as i can.

    After deeper inspection, it seems that only idle TCP connections encounter this problem. For exemple, only SSH sessions without any traffic will be closed after a few minutes. That is the same thing for LDAP or IMAP connections.

    Is there something wrong with timeouts in pf ?


Log in to reply