"BAD ICMP" message
Max Laier
max at love2party.net
Thu Apr 23 13:59:16 UTC 2009
On Thursday 23 April 2009 07:05:54 Sebastiaan van Erk wrote:
> Apr 23 06:58:38 vpn3 kernel: pf: loose state match: TCP
> 10.0.80.150:51422 10.0.80.150:51422 10.0.80.4:22 [lo=3150927679
> high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0]
> 2:0 A seq=3150927679 (3150927679) ack=0 len=0 ackskew=0 pkts=77:0
> Apr 23 06:58:38 vpn3 kernel: pf: BAD ICMP 5:1 10.0.80.77 -> 10.0.80.150
^
These are ICMP redirect messages. This clearly suggests that something is
very wrong with your routing. I assume your netmasks are wrong. It looks
like 10.0.80.77 thinks that 10.0.80.150 can reach 10.0.80.4 directly which is
not the case - it needs to route through 10.0.80.77.
> state: TCP 10.0.80.4:22 10.0.80.4:22 10.0.80.150:51422 [lo=3150927679
> high=3150923785 win=692 modulator=0] [lo=0 high=692 win=1 modulator=0]
> 2:0 seq=3150927679
>
> I see this message several times and the connection no longer works
> after that.
>
> Does anybody know what's going on and how I can fix it?
Use separate ip-ranges on either side of the vpn-router or combine vpn-
endpoints from the same subnet in a bridge interface to allow direct
communication between all members in one subnet.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list