Thanks for the response Jim, is there a way I can adjust how long an entry stays in the state table? I went back to 3.4.32 from 4.1.7 because of issues with OOW packets being blocked and causing all kinds of issues with our site. I'm using a network load balancer in front so now I'm wondering if that may have anything to do with my previous OOW problem. In any case, the problem at hand now is the state table timeout.
Duane -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, January 27, 2006 10:37 AM To: Barb, Duane Cc: [email protected] Subject: Re: Dropped Packets - Help please! Barb, Duane wrote: > I'm getting dropped packets: > > [ID 702911 local0.warning] 08:45:14.146313 bge0 @0:2 b x.x.x.x,30404 > -> > x.x.x.x,443 PR tcp len 20 40 -AR IN duane, this is a blocked packet, not a dropped packet. it is arriving at your external interface and being blocked. note, the line above indicates that the ACK+RST flags are set. my best guess is that this tuple was once in the state table, but the connection is already torn down, (i.e., ipf's state table has deleted the entry), and this packet is thus bouncing off of the firewall and being logged as a blocked packet. in other words, it is a packet not associated with a current state entry, and also not one that initiates a state entry by the following rule (since the flags don't match up): > pass in quick on bge0 proto tcp from any to x.y.z.122/32 port = 443 > flags S keep state keep frags and therefore it is blocked. seeing the above log entry, assuming you are not having other issues, is no cause for alarm. more than likely it is due to the interaction of the web server/client connection keepalive mechanisms and ipf's state table expiry times. jim
