state key linking mismatch w/GRE, since 4.5

Thu, 11 Jun 2009 15:28:44 -0700 

Hello,

recently we upgraded some of our firewalls from OpenBSD 4.4 to 4.5.
Since then, we've been getting loads of the following message
(external addresses substitued with AAA's and BBB's):

Jun 11 18:08:19 celeborn /bsd: pf: state key linking mismatch! dir=OUT,
if=bge0, stored af=2, a0: 10.136.192.199:30285, a1: 10.216.8.1:22,
proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47.
Jun 11 18:08:21 celeborn /bsd: pf: state key linking mismatch! dir=OUT,
if=bge0, stored af=2, a0: 10.136.248.119:42137, a1: 10.137.0.130:993,
proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47.


Relevant states, taken right after the errors showed up in syslog:

all gre BBB.BBB.BBB.BBB <- AAA.AAA.AAA.AAA       MULTIPLE:MULTIPLE
all tcp 10.216.8.1:22 <- 10.136.192.199:30285 ESTABLISHED:ESTABLISHED
all tcp 10.136.192.199:30285 -> 10.216.8.1:22 ESTABLISHED:ESTABLISHED
all tcp 10.137.0.130:993 <- 10.136.248.119:42137 FIN_WAIT_2:FIN_WAIT_2
all tcp 10.136.248.119:42137 -> 10.137.0.130:993 FIN_WAIT_2:FIN_WAIT_2

gre25: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476
        description: TUNNELING-10/8
        priority: 0
        groups: gre
        physical address inet BBB.BBB.BBB.BBB --> AAA.AAA.AAA.AAA
        inet6 fe80::204:23ff:feb1:73c4%gre25 ->  prefixlen 64 scopeid 0x12
        inet 192.168.253.136 --> 192.168.136.253 netmask 0xffffffff

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            BBB.BBB.BBB.CCC    UGS        4  1317018     -     8 bge0
10/8               192.168.136.253    UGS        0   769241     -     8 gre25
10.136.248/21      link#4             UC        14        0     -     4 em3
BBB.BBB.BBB.0/27   link#9             UC        11        0     -     4 bge0
...


Status: Enabled for 0 days 02:24:21           Debug: Urgent

State Table                          Total             Rate
  current entries                     6281               
  searches                        14179937         1637.2/s
  inserts                           586841           67.8/s
  removals                          580560           67.0/s
Counters
  match                             498717           57.6/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                        28            0.0/s
  state-insert                           5            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s


This is happening only on firewalls where we use GRE tunnels.

I guess that rev. 1.618 of pf.c, which was added in 4.5, is causing
those messages to appear. But we're not experimenting any network
problems despite the errors.

The ruleset being a bit lengthy, I left it out, but can send it
on demand.

Is there need to worry about those errors? 

Thanks,
-- 
Pascal

Reply via email to