'Bad State' error analysis

Thu, 20 Aug 2009 11:22:17 -0700 

We have a web server behind NAT; the router runs OpenBSD (version
unimportant for this question), and remote  http client connections
stall irrecoverably with bad state errors from 'pf'.  I have posted
a very detailed report of this issue months ago, with links to
debugging logs, rulesets and packet dumps and I have received no
replies.

Web server: 10.0.0.202
OpenBSD router internal IP: 10.0.0.100
OpenBSD router public IP: 216.251.177.106
Remote client host IP: 173.11.57.241

For the moment, I would appreciate an explanation of the error
message below, in the context that it occurs:
Aug 19 21:38:57 nat1 /bsd: pf: BAD state: TCP 10.0.0.202:80 216.251.177.106:80 173.11.57.241:52070 [lo=1500434706 high=1500444842 win=5840 modulator=0] [lo=3893295577 high=3893295828 win=10136 modulator=0] 4:4 PA seq=3893295577 ack=1500434706 len=1448 ackskew=0 pkts=15 dir=out,rev 

Here is a fragment of the packet dump on the internal interface, beginning
with the last passed packet before the 'bad state' and ending with the
'bad state' packet:

21:38:55.161593 IP (tos 0x0, ttl 255, id 48774, offset 0, flags [DF], proto TCP 
(6), length 1500)
ipx1.cybertheque.net.www > waste.org.52070: Flags [.], seq 3893294129:3893295577, ack 1500434706, win 10136, options [nop,nop,TS val 456194478 ecr 552342707], length 1448 

21:38:55.162808 IP (tos 0x0, ttl 255, id 48775, offset 0, flags [DF], proto TCP 
(6), length 1500)
ipx1.cybertheque.net.www > waste.org.52070: Flags [P.], seq 3893295577:3893297025, ack 1500434706, win 10136, options [nop,nop,TS val 456194478 ecr 552342707], length 1448 

Here is a fragment of the packet dump on the external interface, showing the
last passed packet before the 'bad state' (id 48775 isn't passed of course):

21:38:55.163134 IP (tos 0x0, ttl 254, id 48774, offset 0, flags [none], proto 
TCP (6), length 1500)
domesys.cybertheque.org.www > waste.org.52070: Flags [.], seq 3893294129:3893295577, ack 1500434706, win 10136, options [nop,nop,TS val 456194478 ecr 552342707], length 1448 

What is wrong here? Is the TS val an issue (duplicated)? I don't see 'bad state'
errors on other packets with duplicate timestamps. This only happens on PUSH
packets, what is the significance of that?

Thanks much,

Reply via email to