PfSense (2.0.3) intercepting packets ment for other devices



  • Hi there.

    I have a Cisco ASA and pfSense running in parallel mode (still), ASA serving some IPs, pfSense the other (I am in process of migrating as much as I can from ASA to pfSense).

    I am doing a telnet to port 80 from xxx.xxx.xxx.139 to yyy.yyy.yyy.190 that should be served by ASA, but the packet seems to never reach the ASA and gets intercepted by pfSense. This is the pfSense log entry:

    Sep  8 14:03:08 10.0.0.1 pf:    xxx.xxx.xxx.139.53828 > yyy.yyy.yyy.190.80: Flags [ S ], cksum 0x8ab3 (correct), seq 694278188, win 5840, options [mss 1460,sackOK,TS val 4001651424 ecr 0,nop,wscale 2], length 0

    In ASA syslog and monitor, I see no trace of any packet. I've checked the pfSense configuration several times, dumped the conf file and searched it through - no mention of yyy.yyy.yyy.190. I do have some virtual IPs defined as for example yyy.yyy.yyy.185/32 but that should nothing refering to the subnet. Also checked NAT, Firewall, Interface IPs…

    The configuration was running for months without problems, today I had an unsuccessful attempt of migrating some IPs and I rolled back to the backups of ASA, pfSense and my VLAN switch. I've emptied the ARP tables in pfSense, rebooted all the devices and server... nothing helped. Any idea what my problem might be?

    As far as I understand, there should be no record of packets to yyy.yyy.yyy.190/32, am I right? I want the ASA to serve the packet.

    TIA



  • @marama:

    Hi there.

    It's me again.
    I just gave it another shot, and seem like it's working fine now (few hours after the first attempt).
    Seems like I am missing some network knowhow, anyone care to tell me what was it I was missing? Was there some other cache that needed to be purged?
    TIA



  • I think you should run your ASA behind the pfsense and not in parallel and just forward the needed ports.

    (I had to go reading some time ago to even find out what ASA is - But seems it should work just fine behind NAT)



  • @kejianshi:

    I think you should run your ASA behind the pfsense and not in parallel and just forward the needed ports.

    (I had to go reading some time ago to even find out what ASA is - But seems it should work just fine behind NAT)

    Yes, that's what I am doing right now - migrating to ASAs behind pfSense. I've already got the 5505 ASA behind pfSense, after I get everything running I'll do the same with the 5510. They are supposed to run in 1:1 mode. Would like to have pfSense as single device, but as long as users like the "clientless" VPN (I like it, too) I have to have an ASA running.

    The issue today was confusing me, still not sure what happened and why it selfresolved after few hours. Maybe something with state tables expiring? Anyone here willin to educate me?



  • I'm not sure…

    What packages are you running on pfsense?



  • @kejianshi:

    I'm not sure…

    What packages are you running on pfsense?

    Only Darkstat.



  • The only time I've seen pfsense drop connections willy-nilly is when packages were running to filter packets and cause them to drop.  Also seen connectivity killed when some equipment was running jumbo frames and other pieces were not compatible.  Bad connectors or cables?  Your configuration seems too simple to have big problems.



  • @kejianshi:

    The only time I've seen pfsense drop connections willy-nilly is when packages were running to filter packets and cause them to drop.  Also seen connectivity killed when some equipment was running jumbo frames and other pieces were not compatible.  Bad connectors or cables?  Your configuration seems too simple to have big problems.

    Well, I was talking more about rogue packets (intercepted by pfSense instead of ASA) than lost ones. I do have 6-7 VLANs on my switch though, but if it the problem selvresolved after sometime so not it's difficult for me to track down the source of the problem.


Log in to reply