> Symptoms are timeouts (customer experience is: 'have to click more > than once to load a page', broken images), and the gateway appears to > 'eat' some SYN packets (they come in $cus but don't leave on $ext or > $col). > /bsd: pf: BAD state: TCP <server>:443 <server>:443 <customer>:62548 [lo=3224209845 > high=3224216911 win=14480 modulator=0 wscale=0] [lo=2830441716 high=2830456196 > win=7090 modulator=0 wscale=0] 10:10 S seq=3270666386 ack=2830441716 len=0 ackskew=0 > pkts=24 dir=in,fwd > /bsd: pf: State failure on: 1 | 5
Note that the sequence number on that packet is 46 million off. (compare the seq=%u line to lo=%u and high=%u). Both sides of the connection are in state 10 (which is TCPS_TIME_WAIT). This means that the <customer> has already made a connection to <server>:443 from source port 62548 and PF hasn't expired that state yet. There are two options. Figure out why they are reusing the source port without waiting 2*msl and fix it. Or reduce the tcp.closed timeout. Changing the tcp.closed timeout would probably be your best bet for the typical customer. pf.conf: set timeout tcp.closed <smaller number like 10> .mike
