Error TCP:FPA TCP:FA block

klaos · Apr 1, 2015, 3:34 PM

Good afternoon to all my structure is as follows

Pòint A: Pfsense 2.1.5

Point B: 2.1.5

Point A:
WAN Copel IP dinamic
WAN: GVT IP Dinamic

point B
WAN ip fixed
WAN2 ip fixed

OpenVPN Server in Point B and Client Point

Outbound with manual bucause MASQUEREDE

make drop witch packets TCP:FA
Enable Bypass firewall rules for traffic on the same interface

block
Apr 1 11:59:00 Direction=OUT ovpns3 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.5:1109 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 192.168.1.16:5060 TCP:A
block
Apr 1 11:59:01 Direction=OUT ovpnc1 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.30:50369 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.1.28.11:3389 TCP:PA
block
Apr 1 11:59:01 Direction=OUT ovpnc1 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.30:50369 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.1.28.11:3389 TCP:PA
block
Apr 1 11:59:01 Direction=OUT ovpnc1 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.30:50369 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.1.28.11:3389 TCP:PA
block
Apr 1 11:59:03 Direction=OUT ovpnc1 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.30:50369 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.1.28.11:3389 TCP:PA
block
Apr 1 11:59:05 Direction=OUT ovpnc1 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.30:50369 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.1.28.11:3389 TCP:PA

KOM · Apr 1, 2015, 3:27 PM

Este é um fórum Inglês. Por favor coloque o seu problema no fórum Português, ou usar o Google Translate para converter de Português para Inglês.

This is an English forum. Please post your problem in the Portuguese forum, or use Google Translate to convert from Portuguese to English.

klaos · Apr 1, 2015, 3:33 PM

I'am edit to English Now Tnks

@KOM:

Este é um fórum Inglês. Por favor coloque o seu problema no fórum Português, ou usar o Google Translate para converter de Português para Inglês.

This is an English forum. Please post your problem in the Portuguese forum, or use Google Translate to convert from Portuguese to English.

KOM · Apr 1, 2015, 5:33 PM

If I understand your problem, you are concerned about some packets being blocked and you don't understand why? Those packets appear to be out-of-state, and are normal for pfSense. When a connection is closed by one side, the other side will send an ACK packet to say that it received the close request. Since pfSense has already closed the connection, it will drop the packet that acknowledges the connection close request. Since pfSense already considers the state closed, it will reject that ACK packet and log it.

klaos · Apr 1, 2015, 5:38 PM

Understand, because doing this with almost all packages of VPN, which traffics Squid and Voip and thus falling connection or getting dumb Voip

Is there any way to fix this?

KOM · Apr 1, 2015, 5:47 PM

If it is out-of-state packets, then you should just ignore them. Are you having some kind of problem that these dropped packets are related to?

klaos · Apr 1, 2015, 5:54 PM

Yes I am, is losing direct connection Voip and Terminal Server, giving drop in constant 3389 5060 3128

KOM · Apr 1, 2015, 6:20 PM

I think your problems are not related to these packets. TCP:FA is a FIN ACK, which is acknowledgement of receiving a TCP teardown request. This packet is the most commonly blocked out-of-state packet.

Now, on to your actual problems. I'm not sure if I fully understand you, but I am guessing that you have these two sites connected by OpenVPN, and you say that there is disconnection between the sites? When a disconnection happens, check Status - System Logs - System - General and Gateways.

klaos · Apr 1, 2015, 6:30 PM

Oowoo

I guess it's a problem

Apr 1 12:47:51 apinger: alarm canceled: WAN_OPTITELGW(8.8.4.4) *** down ***
Apr 1 12:48:21 apinger: ALARM: WAN_OPTITELGW(8.8.4.4) *** down ***
Apr 1 12:48:25 apinger: alarm canceled: WAN_OPTITELGW(8.8.4.4) *** down ***
Apr 1 12:51:06 apinger: ALARM: WAN_FASTSIGNALGW(8.8.8.8) *** down ***
Apr 1 12:51:07 apinger: alarm canceled: WAN_FASTSIGNALGW(8.8.8.8) *** down ***
Apr 1 12:51:27 apinger: ALARM: WAN_OPTITELGW(8.8.4.4) *** down ***
Apr 1 12:51:29 apinger: alarm canceled: WAN_OPTITELGW(8.8.4.4) *** down ***
Apr 1 12:52:14 apinger: SIGHUP received, reloading configuration.
Apr 1 12:52:24 apinger: SIGHUP received, reloading configuration.
Apr 1 13:08:03 apinger: SIGHUP received, reloading configuration.

now Estable Gateway This stable now and do not have more drop

KOM · Apr 1, 2015, 6:48 PM

The problem you are seeing may be related to apinger. Search these forums and you will see a LOT of apinger problems with 2.1.x. This functionality has been improved in pfSense 2.2. You might want to look at upgrading.