>> if you can post dmesg and some relevant 'pass' rules, that might help.
Sure, So far, I have started my test and I have far less problems now but I don't think the solution is fine. As of Version 4.1, the rule keep state flags S/SA is by default. All my problems went away when I used the following rules: pass out on $if_prod proto tcp from any to <so_prod_ad> port {http, https} no state flags any label "Internet vers la prod AD" pass in on $if_prod proto tcp from <so_prod_ad> port {http, https} to any no state flags any label "Reply From AD to the Internet" If go on keep state, then, when I launch a download at 25 Mo/s, then it downloads about 35 Mo then stops and my log get full of Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51872 193.189.125.227:51872 77.72.91.10:80 [lo=936647122 high=936652914 win=5840 modulator=0] [lo=2657626173 high=2657632013 win=5792 modulator=0] 4:2 SA seq=2660626928 (2660626928) ack=936647122 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51876 193.189.125.227:51876 77.72.91.10:80 [lo=941137405 high=941143197 win=5840 modulator=0] [lo=2659274591 high=2659280431 win=5792 modulator=0] 4:2 SA seq=2662275452 (2662275452) ack=941137405 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 Jun 7 12:15:26 so-knox01a-std /bsd: pf: BAD state: TCP 193.189.125.227:51880 193.189.125.227:51880 77.72.91.10:80 [lo=941037484 high=941043276 win=5840 modulator=0] [lo=2663170100 high=2663175940 win=5792 modulator=0] 4:2 SA seq=2666170841 (2666170841) ack=941037484 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 7 12:15:26 so-knox01a-std /bsd: pf: State failure on: 1 | 5 >From my understanding, State failure on: 1 means the sequence number was too much ahead, based on the RFC. But, Today, with adaptive TCP Windows, we can have so many packets going thru at the same time. Leo