Default deny / State violations

Started by ThyOnlySandman, September 04, 2025, 08:15:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2025, 08:15:24 PM
Hi.

Can anyone shed some light to help me better understand the Default deny / State violations rule?  The causes and fix?
In the past when traffic isn't flowing that should be and is logging blocked by state violation I just reboot.
But I'm curious about resolving without reboot. 

For example
Yesterday my Spectrum home connection did a IP change on me for first time in 5+ years.
I re-configured a IPSEC VPN on both sides for new IP but traffic wasn't flowing despite phase 2s online.
Then I saw all VPN tunnel traffic being denied by state violation rule.
Rebooted the remote Opnsense and VPN began flowing again.

Would have reset states table under Firewall --> Diag --> States --> Actions fix issue?
September 12, 2025, 12:37:31 AM #1
Bump.
September 12, 2025, 12:08:34 PM #2
This has been answered so many times that at some point years ago I changed the "Default deny" label to "Default deny / State violation". You can find these topics here in the forum with the search.

I'm not entirely sure what happened in your case. Established states should continue to work, not run into the default rule block (which was likely due to state violation though). Maybe the firewall didn't see these connections prior, but that would also have been weird. It depends on a lot of factors.

> Would have reset states table under Firewall --> Diag --> States --> Actions fix issue?

Kind of, but not if the VPN tunnel insists it was online and is not able to recover. The best thing to do is to restart the tunnel and see if that already helps. It could also be indicative of another issue in your setup, but it could also be a remote issue (duplicated packets back, packet reordering, etc.)


Cheers,
Franco
September 12, 2025, 08:46:17 PM #3 Last Edit: September 12, 2025, 08:51:34 PM by ThyOnlySandman
Quote from: franco on September 12, 2025, 12:08:34 PMIt depends on a lot of factors.

Hi.  In the past I've read about state violation rule but like you say, lots of factors, so I've never really felt that I understand when issue surfaces.  Which is not often.

In regards to last time with IPSEC.  I restarted IPSEC service multiple times on both firewalls and Phase 2s were good and established fresh.  Traffic wouldn't flow yet I made no further config changes, rebooted remote Opnsense and VPN came backup up and traffic flowed through tunnel.  So I'm not sure.

I know there's implicit deny all rule on ACLs, but on all interfaces I have a manual deny all rule.  So when I see "Default deny / State violation" I know its Opnsense's internal rule and something with TCP states is wrong.  Otherwise if it was regular flow - it would be logged denied against my manual rule.

Both locations use Opnsense LAN INT on /29 subnet connected to L3 switch VLANs.  I have Zenarmor set on Opnsense LAN INT.  Perhaps Zenarmor be culprit for your mentioned reasons states get messed up - duplicated packets back, packet reordering, etc?
Print
Go Up Pages1
User actions