From owner-freebsd-questions@FreeBSD.ORG Sat Oct 28 22:41:33 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD07616A407 for ; Sat, 28 Oct 2006 22:41:33 +0000 (UTC) (envelope-from donald.teed@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 353F143D49 for ; Sat, 28 Oct 2006 22:41:32 +0000 (GMT) (envelope-from donald.teed@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so1753544nfc for ; Sat, 28 Oct 2006 15:41:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KhjTwdwImDlb98MG4orN0g41+NJdyrPJ66g2wusksRLRBwTcxWL7MPrO5dU0feAAjaox1JbnXTke2jJcazxANVMVxLfdz+aEgOSUHUiEzDXCN7jvdp3ALfQmbxIxi1amKs34x31sm8tAI9+FK7ZhhVkhjrCgyjkAqZHDzwfsTtk= Received: by 10.78.178.5 with SMTP id a5mr2150109huf; Sat, 28 Oct 2006 15:41:31 -0700 (PDT) Received: by 10.78.159.6 with HTTP; Sat, 28 Oct 2006 15:41:26 -0700 (PDT) Message-ID: Date: Sat, 28 Oct 2006 19:41:26 -0300 From: "D G Teed" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: packet loss to firewall while Internet link is down X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2006 22:41:33 -0000 Hi all, When the Internet link goes down, ssh refuses to allow connection from within the LAN to our BSD firewall/gateway. An existing ssh connection might stay up, but be very sluggish. We run our own DNS, so that can't be the reason for timeouts. When the Internet is down, the CPU load factor on the FreeBSD firewall is low, but the number of TCP packets that can't get past the first hop is likely high, which might cause some sort of congestion on the machine. The console is very responsive. mtr to any point on the local LAN from the firewall sees 50 to 80% packet loss. However, there is no packet loss between other machines on the lan and our network guy says the router port and cable check out fine. There are no console error messages providing a clue. netstat -m shows the mb_map is about 26% in use while the Internet is down. The machine in question is FreeBSD 4.11, running ipfw and acting as a gateway (not NAT). Once the Internet comes back up, ssh in works, and ssh sessions are very responsive again. Is there some kernel variable I can tweak, or some tests I can try the next time the Internet goes down and the gateway/firewall drop packets on connections to our LAN? Our operations manager is a Windows guy, and every time he can't ssh in, he thinks the firewall needs a reboot, when the real problem is that the Internet is down and there is something we need to tweak to make it better able to survive local LAN traffic. --Donald