Project

General

Profile

Actions

Bug #2636

closed

state mismatch issue on enc0 with amd64

Added by Chris Buechler about 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Operating System
Target version:
Start date:
09/17/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
amd64

Description

There's some kind of state mismatch issue on enc0 with amd64. Potentially related, tcpdump on enc0 doesn't show any ingress traffic, only egress. The SYN gets passed, the SYN ACK blocked on enc0 as a state mismatch. Doesn't impact i386.

Actions #1

Updated by Ermal Luçi about 9 years ago

  • Status changed from New to Feedback

This should behave better on latest snapshots.

Actions #2

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to New

no change

Actions #3

Updated by Ermal Luçi almost 9 years ago

  • Status changed from New to Feedback

A fix to require correct mask was submitted on master.

Actions #4

Updated by Ermal Luçi almost 9 years ago

By any chance you have net.inet.ipsec.filtertunnel set to something grater than 0?

Actions #5

Updated by Chris Buechler almost 9 years ago

on the one system of ours that was having this issue, it's better than it used to be (it used to be impossible to complete a TCP handshake), but it still drops TCP sessions like crazy. Somewhere around a month ago it got better. Currently on Feb 8 snap.

$ sysctl -a|grep filtertunnel
net.inet.ipsec.filtertunnel: 0
net.inet6.ipsec6.filtertunnel: 0
Actions #6

Updated by Renato Botelho over 8 years ago

  • Status changed from Feedback to New
Actions #7

Updated by Ermal Luçi over 8 years ago

Can you try if setting net.inet.ipsec.filtertunnel: 0 to 1 makes it work correctly?

Actions #8

Updated by Chris Buechler over 8 years ago

Setting net.inet.ipsec.filtertunnel=1 definitely seems to fix it. On a tunnel where I couldn't keep a TCP session going for more than a minute or two previously, after changing only that, I've had a RDP session up for over an hour and multiple SSH sessions up, with no problem at all.

Actions #9

Updated by Chris Buechler over 8 years ago

Well, it fixed one problem and broke things that used to work. Incoming IPsec traffic from other connections that were working fine previously are now getting blocked in on em0 (WAN, where the IPsec terminates) where they should be hitting the rules for in on enc0.

Actions #10

Updated by Chris Buechler over 8 years ago

  • Status changed from New to Feedback

After further evaluation, this appears to have been fixed sometime in the past month or two by something that wasn't tagged on this specific ticket. Putting to feedback for the time being, will close after giving it some more time.

Actions #11

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

this is fixed

Actions

Also available in: Atom PDF