Bug #2636: state mismatch issue on enc0 with amd64 - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #2636

closed

state mismatch issue on enc0 with amd64

Added by Chris Buechler about 12 years ago. Updated over 11 years ago.

Status:

Resolved

Priority:

High

Assignee:

Ermal Luçi

Category:

Operating System

Target version:

2.1

Start date:

09/17/2012

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1

Affected Architecture:

amd64

Description

There's some kind of state mismatch issue on enc0 with amd64. Potentially related, tcpdump on enc0 doesn't show any ingress traffic, only egress. The SYN gets passed, the SYN ACK blocked on enc0 as a state mismatch. Doesn't impact i386.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Ermal Luçi about 12 years ago

Status changed from New to Feedback

This should behave better on latest snapshots.

Actions

Copy link

Updated by Chris Buechler almost 12 years ago

Status changed from Feedback to New

no change

Actions

Copy link

Updated by Ermal Luçi almost 12 years ago

Status changed from New to Feedback

A fix to require correct mask was submitted on master.

Actions

Copy link

Updated by Ermal Luçi almost 12 years ago

By any chance you have net.inet.ipsec.filtertunnel set to something grater than 0?

Actions

Copy link

Updated by Chris Buechler almost 12 years ago

on the one system of ours that was having this issue, it's better than it used to be (it used to be impossible to complete a TCP handshake), but it still drops TCP sessions like crazy. Somewhere around a month ago it got better. Currently on Feb 8 snap.

$ sysctl -a|grep filtertunnel
net.inet.ipsec.filtertunnel: 0
net.inet6.ipsec6.filtertunnel: 0

Actions

Copy link

Updated by Renato Botelho over 11 years ago

Status changed from Feedback to New

Actions

Copy link

Updated by Ermal Luçi over 11 years ago

Can you try if setting net.inet.ipsec.filtertunnel: 0 to 1 makes it work correctly?

Actions

Copy link

Updated by Chris Buechler over 11 years ago

Setting net.inet.ipsec.filtertunnel=1 definitely seems to fix it. On a tunnel where I couldn't keep a TCP session going for more than a minute or two previously, after changing only that, I've had a RDP session up for over an hour and multiple SSH sessions up, with no problem at all.

Actions

Copy link

Updated by Chris Buechler over 11 years ago

Well, it fixed one problem and broke things that used to work. Incoming IPsec traffic from other connections that were working fine previously are now getting blocked in on em0 (WAN, where the IPsec terminates) where they should be hitting the rules for in on enc0.

Actions

Copy link

#10

Updated by Chris Buechler over 11 years ago

Status changed from New to Feedback

After further evaluation, this appears to have been fixed sometime in the past month or two by something that wasn't tagged on this specific ticket. Putting to feedback for the time being, will close after giving it some more time.

Actions

Copy link

#11

Updated by Chris Buechler over 11 years ago

Status changed from Feedback to Resolved

this is fixed

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #2636

state mismatch issue on enc0 with amd64

Updated by Ermal Luçi about 12 years ago

Updated by Chris Buechler almost 12 years ago

Updated by Ermal Luçi almost 12 years ago

Updated by Ermal Luçi almost 12 years ago

Updated by Chris Buechler almost 12 years ago

Updated by Renato Botelho over 11 years ago

Updated by Ermal Luçi over 11 years ago

Updated by Chris Buechler over 11 years ago

Updated by Chris Buechler over 11 years ago

Updated by Chris Buechler over 11 years ago

Updated by Chris Buechler over 11 years ago