Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [zone: pf states] PF states limit reached - how to find the offender?

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 7 Posters 19.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikolaii
      last edited by

      Hello,

      this morning I couldn't connect to my infrastructure anymore. On the remote console of the firewall I could see the following message:

      [zone: pf states] PF states limit reached
      

      So I restarted the firewall and voila, everything is back to normal. But I'd like to know certain things:

      • how to find out what fulled the states tables up?
      • how to make the firewall accept new states even it the states tables are full? (maybe by discarding old ones?).

      Currently I have this setting (I think this is the default one):

      
      pfctl -sm
      states        hard limit   201000
      src-nodes     hard limit   201000
      frags         hard limit     5000
      table-entries hard limit   200000
      
      

      Thank you.
      Nicolas

      Nicolas

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        There is an option under advanced settings that allows you to increase the rate at which states are expired as your table fills up.

        1 Reply Last reply Reply Quote 0
        • N
          nikolaii
          last edited by

          I'll have a look on this, thank you.

          Meanwhile, I was looking on the RRD graphs, and I don't see the limit (201000) being reached when the firewall has become unresponsive. So I guess there must be something else, right?

          Any clue where to look for?

          Thank you.
          Nicolas

          status_rrd_graph_img.php.png
          status_rrd_graph_img.php.png_thumb

          Nicolas

          1 Reply Last reply Reply Quote 0
          • S
            Shellite
            last edited by

            I know I am bumping an old thread here, sorry!

            I am suffering this issue also, happens after the box has run for ~1 month and the state table in RRD at the time showed ~0.4k states (middle of the night) so it was very quiet, even on the busiest of days would be lucky to hit 1.6k states.

            Did you ever find a reason Nicolas?

            @nikolaii:

            I'll have a look on this, thank you.

            Meanwhile, I was looking on the RRD graphs, and I don't see the limit (201000) being reached when the firewall has become unresponsive. So I guess there must be something else, right?

            Any clue where to look for?

            Thank you.
            Nicolas

            1 Reply Last reply Reply Quote 0
            • N
              nikolaii
              last edited by

              @Shellite:

              Did you ever find a reason Nicolas?

              Well unfortunately not, but fortunately this issue didn't occur again since…

              Good luck!

              Nicolas

              1 Reply Last reply Reply Quote 0
              • S
                stephenminta
                last edited by

                I am having the same issue. Did anyone ever find a solution?

                1 Reply Last reply Reply Quote 0
                • K
                  kswtch
                  last edited by

                  Same issue here. Firewalls hangs in the middle of the night (just before midnight) with "PF states limit reached" showing up in the console.
                  0.7k states at the time. Normally the FW tops at 5k states. FW had been running for 48 hrs. We never saw that in the years before.
                  A reboot solved the issue. No clue what happend though.

                  edit:
                  We let pfSense forward all messages to our syslog server. At the time pfSense stopped responding with "states limit reached" it dumped many many many thousand lines at once to our syslog server. Most certanly, if every line is one state, thats what caused it. All the lines have the same timestamp but are clearly showing logs over a longer period.

                  1 Reply Last reply Reply Quote 0
                  • J
                    JuantonJohn
                    last edited by

                    If you have an open port (web interface) and it was DenialofService attacked; wouldn't that possibly cause the freeze / hang / crash?  Maybe something trying to buffer overrun and exploit an open port?

                    …guessing...

                    1 Reply Last reply Reply Quote 0
                    • M
                      mcdiesel
                      last edited by

                      We had the same issue today.  States typically running at 10k during work day.

                      Something suddenly goes nuts, fills all 201,000.

                      Culprit turned out to be Spiceworks, scanning 10.0.0.0/16    It does it by brute force, initiating an nmap scan to tens of thousands of (nonexistant) hosts concurrently.

                      Event spike (but not the source) shows up nicely in Status/Monitoring/Spanner  left axis:System/States

                      1 Reply Last reply Reply Quote 0
                      • H
                        Harvy66
                        last edited by

                        You can configure pfSense to shorten the timeouts of the states as it gets fuller.

                        AdaptiveScaling.png
                        AdaptiveScaling.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.