1
General Discussion / OpnSense duplicating SYN flags
« on: August 02, 2023, 07:26:17 pm »
Hello guys,
I have two machins with OpnSense in HA deployment, I'm trying to use Nginx as Load Balancer, it's working, but some times OpenSense duplicate SYN in handshake, and my backend server reset de connection. Here an exemple in tcpdump:
Someone knows what happens in these cases? I'm trying a lot of things, like disable keepalive, increase keepalive and no success.
The server 10.50.0.25 is a VM in proxmox, the server has a linux bond using balance-alb with 4 interfaces in that bond interface, I'm let only one interface, and the duplication is gone, and communication works like a charm, there any change to support linux bond interfaces, like balance-alb or balance-rr?
EDIT: To solve this problem, you need to set net.link.ether.inet.allow_multicast to 1 to support bond with balance-rr or balance-alb from Linux
Thanks
I have two machins with OpnSense in HA deployment, I'm trying to use Nginx as Load Balancer, it's working, but some times OpenSense duplicate SYN in handshake, and my backend server reset de connection. Here an exemple in tcpdump:
Code: [Select]
23:26:09.178700 IP 10.50.0.2.34561 > 10.50.0.25.80: Flags [S], seq 1904829910, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2807968157 ecr 0], length 0
23:26:09.178747 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [S.], seq 2909824559, ack 1904829911, win 28960, options [mss 1460,sackOK,TS val 2569237748 ecr 2807968157,nop,wscale 13], length 0
23:26:09.178829 IP 10.50.0.2.34561 > 10.50.0.25.80: Flags [S], seq 1904829910, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2807968157 ecr 0], length 0
23:26:09.178841 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [S.], seq 2909824559, ack 1904829911, win 28960, options [mss 1460,sackOK,TS val 2569237748 ecr 2807968157,nop,wscale 13], length 0
23:26:09.178881 IP 10.50.0.2.34561 > 10.50.0.25.80: Flags [.], ack 2974532724, win 65535, length 0
23:26:09.178896 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [R], seq 1589389987, win 0, length 0
23:26:09.178950 IP 10.50.0.2.34561 > 10.50.0.25.80: Flags [.], ack 2974532724, win 65535, length 0
23:26:09.178959 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [R], seq 1589389987, win 0, length 0
23:26:10.189605 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [S.], seq 2909824559, ack 1904829911, win 28960, options [mss 1460,sackOK,TS val 2569238759 ecr 2807968157,nop,wscale 13], length 0
23:26:12.237583 IP 10.50.0.25.80 > 10.50.0.2.34561: Flags [S.], seq 2909824559, ack 1904829911, win 28960, options [mss 1460,sackOK,TS val 2569240807 ecr 2807968157,nop,wscale 13], length 0
Someone knows what happens in these cases? I'm trying a lot of things, like disable keepalive, increase keepalive and no success.
The server 10.50.0.25 is a VM in proxmox, the server has a linux bond using balance-alb with 4 interfaces in that bond interface, I'm let only one interface, and the duplication is gone, and communication works like a charm, there any change to support linux bond interfaces, like balance-alb or balance-rr?
EDIT: To solve this problem, you need to set net.link.ether.inet.allow_multicast to 1 to support bond with balance-rr or balance-alb from Linux
Thanks