2.3 RC - Complete loss of internet connectivity "pf frag entires limit reached"
-
Since I upgraded to 2.3 RC in my home lab everything was smooth but after a little while I noticed my off-site backups were failing. Eventually this progressed to internet just flat out stopping when the backups were running (the backups are veeam backups over an IPSEC tunnel). I've got a VDSL connection at home – 30 down, 10 up.
When the internet connectivity stops, I get this message repeated on the console many times:
[zone: pf frag entries] PF frag entries limit reached
I have not been able to successfully run a backup for over a week now so for the time being I've rolled back to 2.2.6 stable.
Any ideas on what I can try to fix this?
-
Go to System / Advanced / Firewall & NAT and increase "Firewall Maximum Fragment Entries" (5000 is the default) to 8192 or more.
-
might also consider adjusting the vpn settings. fragmenting can result in bad performance
see quote from: https://doc.pfsense.org/index.php/IPsec_Troubleshooting
Packet Loss with Certain Protocols
If packet loss is experienced only when using specific protocols (SMB, RDP, etc), MSS clamping may be required to reduce the effective MTU of the VPN. IPsec does not handle fragmented packets very well, and a reduced MTU will ensure that the packets traversing the tunnel are all of a size which can be transmitted whole. A good starting point would be 1300, and if that works, slowly increase the MSS until the breaking point is located, then back off a little from there.
MSS clamping is configured under System > Advanced on the Miscellaneous tab on pfSense 2.1.x and before. On pfSense 2.2, it is under VPN > IPsec on the Advanced Settings tab. Check the box to enable MSS Clamping for VPNs, and fill in the appropriate value. -
I'm using IPsec between two pfSense boxes and was getting this message after the update.
As suggested I used MSS clamping on both sides, and fiddled with the Maximum MSS parameter on the "Advanced" configuration page for IPsec and it seems 1350 works for me. I started at 1400 and reduced by 50 and the errors have not appeared again. Would be nice to know what a definitive value is rather than just "trying values until the error disappears". But hey, it's working.
If anyone knows a better value, please share.
Also, I noticed that since the 2.3 upgrade, I had to turn off IP Compression on one side. When it's turned on both sides, a connection is created, but no packets get passed. Would be nice if this could get fixed.
On the upside, since 2.3 my mobile (iStuff) devices are connecting to the Mobile VPN using the Cisco IPSec client now.
Cheers.
-
Yes unixwzrd.
But..
I solved this problem enabling the MSS clamping on only one side.
-
Disabling on both sides was for consistency, I do know that if one side is clamping, the other will abide but its restrictions and settings.
Interestingly, the message only seems to appear when using Apple Remote Desktop (ARD), and not at any other time.
Go figure…
-
Thanks for this thread - I too have a similar issue happening offsite backups via ipsec.
I have about 15 DSL sites uploading into another DSL site and was experiencing this issue - strangely only one site was halting backups but the main site was having 'pf frag entires limit reached' errors throughout the day.
I've upped the Firewall Maximum Fragment Entries - in advanced settings and the number errors appears to be stopped. (I also applied clamping on the IPCES advanced settings but this didnt seem to stop the errors)
-
No 'pf frag entries limit reached' errors overnight and all backups went through
-
Root cause of that is this:
https://redmine.pfsense.org/issues/6499if you're in a situation where you're hitting that routinely, the latest 2.3.2 snapshots are stable and include the fix to properly expire those states. System>Update, Update Settings, switch to Development and click Save. Then back to the System Update tab and upgrade there.
Upping the max fragment entries will prolong how long it takes to reach the maximum and may suffice for some people.
