[SOLVED] Weird network problems for one client after updating to 23.4.1

[Raketenmeyer]

Hey,

we have weird network problems in conjunction with OpenVPN with our firewall after updating from 23.4 to 23.4.1 on a DEC3850 for a single employee.

The "Default deny / state violation rule" blocks randomly traffic from one of our OpenVPN connected employees although the corresponding traffic is alowed by rule(s). At times the traffic from this employee is blocked at all. All our clients are running Windows 10 using OpenVPN connect 3.3.7 and this setup is working for at least 1,5 years now.

In the live log it sometimes looks like alllow/deny ping pong - screenshots attached.

I'm a bit helpless at this point. What could be the reason that the traffic from a single employee is blocked while all others have normal access as expected? This employee has no (known) problems to access other parts of the internet at all - websites etc. working normal.

I have the feeling, that this problem has nothing to do with the update to 23.4.1, but it started right after the update, so I thought asking in the forum might be a good idea.

Has someone ever experienced such a problem?

[zan]

What are the 'tcpflags' of denied packets? If they are FA,FPA.RA,PA and the likes they are just out-of-state packets.

[Raketenmeyer]

It looks like most packages (blocked and passed) have only the "DF" flag assigned. Looking at the firewall plain view, the length of the blocked packages varies a lot - I've seen lengths from 90 to 1028 (btw. what unit is this? bit?). And also a few blocked packages with a length of 0.

Btw. rule 11 (line start) is the "Default deny / state violation rule".

[zan]

Yeah I see mostly PA and RA got blocked, those are out-of-state packets.
Unless those are SYN or SYN-ACK you can safely ignore them.
Google out-of-state packets.

Edit: Some explanations https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

[Raketenmeyer]

Thank you for the explanation - got it now, I looked at the wrong part of the line(s). Since only one employee has this problems (homeoffice), I assume some kind of internet problems like packet loss / flaky connection or a bad wlan connection on his side. Would you agree on that?

[zan]

Yes, also devices woke up from sleep, phone devices flipped between mobile data & wlan etc.
Unless you are seeing a flood of these - they are just noise (part of connection teardowns), I wouldn't worry much.
May want to play around with firewall optimization setting for state timeouts and set to the one to your liking (Check the actual values with "pfctl -st").
Personally I use high-latency, I found the default is a tad too short.

[Raketenmeyer]

The problem is so serious for this employee that he is not able to work from home anymore and the logs are full of FA, RA and PA entries if he tries to. In the next step I'll try to find the root cause in his homeoffice.

Thank you very much - I've learned a lot :)