OPNsense Forum
English Forums => General Discussion => Topic started by: GaardenZwerch on May 19, 2021, 11:50:52 am
-
Hi,
I have observed NAT not happening on a single connection several times today.
I have "Hybrid outbound NAT rule generation" enabled but I notice that sometimes I have packets from a host that leaves the WAN interface with its private IP as source address
11:16:55.750589 IP 10.6.2.176.500 > 1.2.2.4.500: isakmp: parent_sa ikev2_init[I]
11:16:56.753706 IP 10.6.2.176.500 > 1.2.3.4.500: isakmp: parent_sa ikev2_init[I]
11:16:57.756176 IP 10.6.2.176.500 > 1.2.3.4.500: isakmp: parent_sa ikev2_init[I]
At the same time, this client accesses 'the rest' of the Internet just fine, so NAT is happening there.
When I go to the "States Dump" and kill this single state, all is fine and the client can connect.
I suspected maybe a full table, but that doesn't seem to be the case:
root@opnsense-master:~ # pfctl -si
Status: Enabled for 8 days 22:06:38 Debug: Urgent
State Table Total Rate
current entries 34377
searches 37178953282 48234.4/s
inserts 73241737 95.0/s
removals 73207352 95.0/s
Counters
match 79776073 103.5/s
bad-offset 0 0.0/s
fragment 7501 0.0/s
short 2 0.0/s
normalize 460 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 1503550 2.0/s
proto-cksum 0 0.0/s
state-mismatch 6256 0.0/s
state-insert 11 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
root@bo-claurive-master:~ # pfctl -sm
states hard limit 797000
src-nodes hard limit 797000
frags hard limit 5000
table-entries hard limit 1000000
root@opnsense-master:~ #
This is a ha-cluster on OPNsense 21.1.5. At the moment I have only seen this happen for IKE pakets.
Thanks for any hints,
Frank