state insert failed / BAD state issues

Fri, 30 May 2003 17:40:45 -0700 

  Gateway is a OpenBSD 3.3-release, with a 3.3-stable kernel built
  from recent OPENBSD_3_3 source.

  Gateway handles NAT to the egress and also rdr for transparent
  proxying. Rough idea of network:

 192.168.2.0/24                               Public, Routable IP
 ( customers ) --- $cus [ borogove ] $col --- [ squid ]
                             | $ext
                             |
                        ( internet )

  Pf ruleset includes this:
-----
no rdr on $col from $squid to any
no nat on $col from $squid to any
no nat on $col from ($col) to any
rdr-anchor proxy_www proto tcp from any to any port www
  ( rdr on $cus inet proto tcp from any to any port www -> $squid port $squidport )
nat on $col inet proto tcp from any to $squid -> ($col)

nat on $ext from <nattable> to any -> $natAddr
-----

  Some customers are having trouble with:

  a. Some natted TCP connections to the external hosts
  b. Some rdr'd (and natted) connections that are hijacked through squid.

  Symptoms are timeouts (customer experience is: 'have to click more
  than once to load a page', broken images), and the gateway appears to
  'eat' some SYN packets (they come in $cus but don't leave on $ext or
  $col).

  Enabling misc debugging in pf shows these errors always accompanying
  the failure condition:
-----
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 
high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 
win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 
pkts=24 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 
high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 
win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 
pkts=25 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
/bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 
high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 
win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 
pkts=26 dir=in,fwd
/bsd: pf: State failure on: 1       | 5
-----

  Not sure where to go from here, hoping someone has some insight. I
  can provide more details to anyone who'd like them.

  Thanks
  matthew

Reply via email to