Hello, recently we upgraded some of our firewalls from OpenBSD 4.4 to 4.5. Since then, we've been getting loads of the following message (external addresses substitued with AAA's and BBB's):
Jun 11 18:08:19 celeborn /bsd: pf: state key linking mismatch! dir=OUT, if=bge0, stored af=2, a0: 10.136.192.199:30285, a1: 10.216.8.1:22, proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47. Jun 11 18:08:21 celeborn /bsd: pf: state key linking mismatch! dir=OUT, if=bge0, stored af=2, a0: 10.136.248.119:42137, a1: 10.137.0.130:993, proto=6, found af=2, a0: AAA.AAA.AAA.AAA, a1: BBB.BBB.BBB.BBB, proto=47. Relevant states, taken right after the errors showed up in syslog: all gre BBB.BBB.BBB.BBB <- AAA.AAA.AAA.AAA MULTIPLE:MULTIPLE all tcp 10.216.8.1:22 <- 10.136.192.199:30285 ESTABLISHED:ESTABLISHED all tcp 10.136.192.199:30285 -> 10.216.8.1:22 ESTABLISHED:ESTABLISHED all tcp 10.137.0.130:993 <- 10.136.248.119:42137 FIN_WAIT_2:FIN_WAIT_2 all tcp 10.136.248.119:42137 -> 10.137.0.130:993 FIN_WAIT_2:FIN_WAIT_2 gre25: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476 description: TUNNELING-10/8 priority: 0 groups: gre physical address inet BBB.BBB.BBB.BBB --> AAA.AAA.AAA.AAA inet6 fe80::204:23ff:feb1:73c4%gre25 -> prefixlen 64 scopeid 0x12 inet 192.168.253.136 --> 192.168.136.253 netmask 0xffffffff Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default BBB.BBB.BBB.CCC UGS 4 1317018 - 8 bge0 10/8 192.168.136.253 UGS 0 769241 - 8 gre25 10.136.248/21 link#4 UC 14 0 - 4 em3 BBB.BBB.BBB.0/27 link#9 UC 11 0 - 4 bge0 ... Status: Enabled for 0 days 02:24:21 Debug: Urgent State Table Total Rate current entries 6281 searches 14179937 1637.2/s inserts 586841 67.8/s removals 580560 67.0/s Counters match 498717 57.6/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 28 0.0/s state-insert 5 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s This is happening only on firewalls where we use GRE tunnels. I guess that rev. 1.618 of pf.c, which was added in 4.5, is causing those messages to appear. But we're not experimenting any network problems despite the errors. The ruleset being a bit lengthy, I left it out, but can send it on demand. Is there need to worry about those errors? Thanks, -- Pascal