From owner-freebsd-pf@FreeBSD.ORG Fri Jul 7 18:03:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A125016A4DD for ; Fri, 7 Jul 2006 18:03:43 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [207.109.235.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD78B43D45 for ; Fri, 7 Jul 2006 18:03:42 +0000 (GMT) (envelope-from rand@meridian-enviro.com) X-Envelope-To: Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.1/8.13.1) with ESMTP id k67I3fbg029264 for ; Fri, 7 Jul 2006 13:03:41 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Date: Fri, 07 Jul 2006 13:03:40 -0500 Message-ID: <87ejwx1edf.wl%rand@meridian-enviro.com> From: "Douglas K. Rand" To: freebsd-pf@freebsd.org User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 09:37:51 2006 on newman.meridian-enviro.com X-Virus-Status: Clean Subject: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jul 2006 18:03:43 -0000 I'm testing a new set of firewalls using pfsync and carp to replace an existing IP Filter firewall and I'm having occasional problems with TCP sessions failing over. More often than not the fail over works fine, but some times when I reboot the master firewall the TCP session hangs, and when the backup firewall transfers from MASTER to BACKUP the session stays hung. The state exists on both firewalls right after the master comes back: master# pfctl -v -s state [...] self tcp 67.134.74.224:58786 -> 204.152.184.134:80 ESTABLISHED:ESTABLISHED [69234942 + 65535] wscale 1 [1597172605 + 63712] wscale 0 age 00:07:37, expires in 23:59:10, 0:0 pkts, 0:0 bytes self tcp 204.152.184.134:80 <- 67.134.74.224:58786 ESTABLISHED:ESTABLISHED [1597172605 + 63712] wscale 0 [69234942 + 65535] wscale 1 age 00:07:37, expires in 23:59:02, 0:0 pkts, 0:0 bytes [...] slave# pfctl -v -s state [...] self tcp 67.134.74.224:58786 -> 204.152.184.134:80 ESTABLISHED:ESTABLISHED [69234942 + 65535] wscale 1 [1597172605 + 63712] wscale 0 age 00:07:01, expires in 23:57:54, 19885:23629 pkts, 1037055:35439120 bytes, rule 187 self tcp 204.152.184.134:80 <- 67.134.74.224:58786 ESTABLISHED:ESTABLISHED [1597172605 + 63712] wscale 0 [69234942 + 65535] wscale 1 age 00:07:01, expires in 23:57:54, 19885:23629 pkts, 1037055:35439120 bytes, rule 187 [...] But after a few minutes the state goes away on both firewalls. Both systems are running FreeBSD 6.1-p2.