Gmail Calendar Documents Reader Web more »
Recently Visited Groups | Help | Sign in
Google Groups Home
bit.listserv.openbsd-pf
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
'Bad State' error analysis
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all  -  Translate all to Translated (View all originals)
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Michael Grigoni  
View profile  
 More options Aug 21, 4:20 am
Newsgroups: bit.listserv.openbsd-pf
From: michael.grig...@cybertheque.org (Michael Grigoni)
Date: 20 Aug 2009 11:20:40 -0700
Local: Fri, Aug 21 2009 4:20 am
Subject: 'Bad State' error analysis
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
We have a web server behind NAT; the router runs OpenBSD (version
unimportant for this question), and remote  http client connections
stall irrecoverably with bad state errors from 'pf'.  I have posted
a very detailed report of this issue months ago, with links to
debugging logs, rulesets and packet dumps and I have received no
replies.

Web server: 10.0.0.202
OpenBSD router internal IP: 10.0.0.100
OpenBSD router public IP: 216.251.177.106
Remote client host IP: 173.11.57.241

For the moment, I would appreciate an explanation of the error
message below, in the context that it occurs:

Aug 19 21:38:57 nat1 /bsd: pf: BAD state: TCP 10.0.0.202:80 216.251.177.106:80 173.11.57.241:52070 [lo=1500434706 high=1500444842
win=5840 modulator=0] [lo=3893295577 high=3893295828 win=10136 modulator=0] 4:4 PA seq=3893295577 ack=1500434706 len=1448 ackskew=0
pkts=15 dir=out,rev

Here is a fragment of the packet dump on the internal interface, beginning
with the last passed packet before the 'bad state' and ending with the
'bad state' packet:

21:38:55.161593 IP (tos 0x0, ttl 255, id 48774, offset 0, flags [DF], proto TCP (6), length 1500)
     ipx1.cybertheque.net.www > waste.org.52070: Flags [.], seq 3893294129:3893295577, ack 1500434706, win 10136, options
[nop,nop,TS val 456194478 ecr 552342707], length 1448

21:38:55.162808 IP (tos 0x0, ttl 255, id 48775, offset 0, flags [DF], proto TCP (6), length 1500)
     ipx1.cybertheque.net.www > waste.org.52070: Flags [P.], seq 3893295577:3893297025, ack 1500434706, win 10136, options
[nop,nop,TS val 456194478 ecr 552342707], length 1448

Here is a fragment of the packet dump on the external interface, showing the
last passed packet before the 'bad state' (id 48775 isn't passed of course):

21:38:55.163134 IP (tos 0x0, ttl 254, id 48774, offset 0, flags [none], proto TCP (6), length 1500)
     domesys.cybertheque.org.www > waste.org.52070: Flags [.], seq 3893294129:3893295577, ack 1500434706, win 10136, options
[nop,nop,TS val 456194478 ecr 552342707], length 1448

What is wrong here? Is the TS val an issue (duplicated)? I don't see 'bad state'
errors on other packets with duplicate timestamps. This only happens on PUSH
packets, what is the significance of that?

Thanks much,


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Michael Grigoni  
View profile  
 More options Aug 24, 9:18 pm
Newsgroups: bit.listserv.openbsd-pf
From: michael.grig...@cybertheque.org (Michael Grigoni)
Date: 24 Aug 2009 04:18:49 -0700
Local: Mon, Aug 24 2009 9:18 pm
Subject: Re: 'Bad State' error analysis
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Michael Grigoni wrote:

 > Michael Grigoni wrote:
 >> Michael Grigoni wrote:
 >>> We have a web server behind NAT; the router runs OpenBSD (version
 >>> unimportant for this question), and remote  http client connections
 >>> stall irrecoverably with bad state errors from 'pf'.
 >>
 >> Finally discovered a site that has the Hartmeier article mentioned
 >> in old mailing list posts, that documents the fields in the 'bad
 >> state' syslog messages:
 >>
 >> http://wiki.gcu.info/doku.php?id=bsd:pf_poilu
 >>
 >> My error messages show an error of type '1', packet sequence number
 >> is greater than 'hi' + window.

<snip>

 > I will conclude that the strange 'hi' value
 > reported in the diagnostic message is due to lack of wscale support
 > in my version of pf

<snip>

I have patched my 'pf' source files to add TCP window scaling support
and initial tests from the problematic linux host clients shows no
more stalling. Patch is available for kernel 3.2 (no flames please,
this kernel is specially purposed for us; at some point with different
hardware, we will run a newer kernel).

Michael


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Stuart Henderson  
View profile  
 More options Aug 24, 10:54 pm
Newsgroups: bit.listserv.openbsd-pf
From: s...@spacehopper.org (Stuart Henderson)
Date: 24 Aug 2009 05:54:36 -0700
Local: Mon, Aug 24 2009 10:54 pm
Subject: Re: 'Bad State' error analysis
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
On 2009/08/24 01:04, Michael Grigoni wrote:

So indeed the version *is* important for this question.

If you had mentioned it, maybe somebody would have suggested this
as a possible cause.


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google