Hello, I have to machines running OpenBSD 4.1 which are acting as a firewalls and I have pfsync setup between the two. One of my machines had a power loss and when we turned it back on we got a lot of pf errors claiming bad state and what not.
Here is the first machine which didn't have a power loss's messages: pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) arp info overwritten for 192.168.10.30 by 00:0e:0c:4e:98:49 on bge1 pf: BAD state: TCP 192.168.10.2:45426 192.168.10.2:45426 192.168.10.40:80 [lo=4000259044 high=4000259046 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=2603308934 (2603308934) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:30196 192.168.10.2:30196 192.168.10.20:80 [lo=4011403077 high=4011408965 win=16384 modulator=0 wscale=0] [lo=2087131504 high=2087147888 win=46 modulator=0 wscale=7] 9:9 S seq=2689487490 (2689487490) ack=2087131504 len=0 ackskew=0 pkts=5:5 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:31750 192.168.10.2:31750 192.168.10.10:80 [lo=2288467466 high=2288467468 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3908591135 (3908591135) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 1 | 5 pf: BAD state: TCP 192.168.10.2:28186 192.168.10.2:28186 192.168.10.10:80 [lo=3798010498 high=3798010500 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3506580854 (3506580854) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.2:49031 192.168.10.2:49031 192.168.10.40:80 [lo=4161674212 high=4161674214 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3805884514 (3805884514) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 And here is the second machines messages: pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::1:ff4e:9848 gwy: ff02::1:ff4e:9848 ext: :0:0:0:0:0:0:0 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::16 gwy: ff02::16 ext: fe80::20e:cff:fe4e:9848 (from sync) pf: state insert failed: tree_lan_ext lan: ff02::2 gwy: ff02::2 ext: fe80::20e:cff:fe4e:9848 (from sync) arp: attempt to overwrite entry for 192.168.10.30 on fxp1 by 00:0e:0c:4e:98:49 on carp1 arp: attempt to overwrite entry for 192.168.10.30 on fxp1 by 00:0e:0c:4e:98:49 on carp1 arp info overwritten for 192.168.10.30 by 00:0e:0c:4e:98:49 on fxp1 pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: dropping packet with ip options pf: BAD state: TCP 192.168.10.3:43927 192.168.10.3:43927 192.168.10.30:80 [lo=4160576830 high=4160582718 win=16384 modulator=0 wscale=0] [lo=1799910885 high=1799927269 win=46 modulator=0 wscale=7] 9:9 S seq=2750310474 (2750310474) ack=1799910885 len=0 ackskew=0 pkts=5:5 dir=out,fwd pf: State failure on: 2 | 6 pf: BAD state: TCP 192.168.10.3:34685 192.168.10.3:34685 192.168.10.30:80 [lo=3444997510 high=3445003398 win=16384 modulator=0 wscale=0] [lo=2612549088 high=2612565472 win=46 modulator=0 wscale=7] 9:9 S seq=3610146868 (3610146868) ack=2612549088 len=0 ackskew=0 pkts=5:5 dir=out,fwd pf: State failure on: 1 | 5 pf: BAD state: TCP 192.168.10.3:31272 192.168.10.3:31272 192.168.10.40:80 [lo=3081009502 high=3081009504 win=16384 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=2746162190 (2746162190) ack=0 len=0 ackskew=0 pkts=1:0 dir=out,fwd pf: State failure on: 2 | 6 So my question is, could these messages be safely ignored and also is there a way to clean up the state failures? I'm not sure what I should do when I get these state failures or how to fix the issue. Any suggestions would be appreciated. Thanks, - Jake
