I have found out from the application log file that the mentioned connections were reset (there is Connection reset in the log file). I don't know if the connection was reset because of the BAD state debug message or it was the other way round. But because more than those 2 connections were reset in that time (we use 10 connections to the dest_ip, all were reset), I guess the BAD stat debug message appeared because of the connection was reset.
Can it be somehow connected to the lowered values of tcp.finwait and tcp.closed to 20 sec? Like that we are receiving some packets from the connection even after the timeout? I have the following in pf.conf: set timeout tcp.finwait 20 set timeout tcp.closed 20 Marian On 2008-11-12 09:02 +0100, Marian Cerny wrote: > Hi, > > I have quite a lot of "BAD state" and "loose state match" debug messages > on my FreeBSD 6.2 servers and I would like to understand them to know if > something needs to be fixed or if they can be ignored. > > I had a problem with "BAD state" before, with outgoing TCP connections > that were reusing src port numbers too quickly. It appeared to be a bug > of FreeBSD port randomization for outgoing connections, so I have > disabled it with the following sysctls: > > net.inet.ip.portrange.first=32768 > net.inet.ip.portrange.hifirst=32768 > net.inet.ip.portrange.randomized=0 > > However I am still getting debug messages with BAD state or loose state > match. Could anybody have a look on some of them and help me explain > what they mean? > > The first two are from a server that does not have many connections and > hasn't any servers listening (except ssh). Those are the only two debug > messages received within one day: > > pf: BAD state: TCP server_ip:52936 server_ip:52936 dest_ip:30535 > [lo=131245561 high=131251449 win=65535 modulator=0 wscale=1] [lo=621066643 > high=621197713 win=46 modulator=0 wscale=7] 4:4 RA seq=621066643 > ack=131245561 len=0 ackskew=0 pkts=55:25 dir=in,rev > pf: State failure on: | > pf: BAD state: TCP server_ip:52935 server_ip:52935 dest_ip:30535 > [lo=1417751526 high=1417757414 win=65535 modulator=0 wscale=1] [lo=623184141 > high=623315211 win=46 modulator=0 wscale=7] 4:4 RA seq=623184141 > ack=1417751526 len=0 ackskew=0 pkts=55:25 dir=in,rev > pf: State failure on: | > > So what I understand is that the debug message is related to a > connection from server_ip:52936 to dest_ip:30535 and the other one is > from another connection. But what the other fields mean? Was the packed > just discarded or the connection was dropped (state removed)? And why > the "State failure on:" message appears to be missing some information? > > Regards, > > Marian
