From owner-freebsd-pf@FreeBSD.ORG Sat Jul 8 19:36:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDDCB16A4DD for ; Sat, 8 Jul 2006 19:36:44 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [207.109.235.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B28243D46 for ; Sat, 8 Jul 2006 19:36:44 +0000 (GMT) (envelope-from rand@meridian-enviro.com) X-Envelope-To: freebsd-pf@freebsd.org Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.1/8.13.1) with ESMTP id k68JaY22074851; Sat, 8 Jul 2006 14:36:34 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Date: Sat, 8 Jul 2006 14:36:34 -0500 (CDT) From: "Douglas K. Rand" To: Daniel Hartmeier In-Reply-To: <20060708084343.GA32262@insomnia.benzedrine.cx> Message-ID: <20060708143036.B12430@delta.meridian-enviro.com> References: <87ejwx1edf.wl%rand@meridian-enviro.com> <87zmfl466d.fsf@delta.meridian-enviro.com> <20060708084343.GA32262@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 09:37:51 2006 on newman.meridian-enviro.com X-Virus-Status: Clean Cc: mcbride@openbsd.org, freebsd-pf@freebsd.org Subject: Re: pfsync & carp problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 19:36:44 -0000 >> Some more information after I discovered the -x loud option to >> pfctl. When the master firewall goes down and the already established >> TCP session hangs, I get these messages on the slave: >> pf: BAD state: TCP 67.134.74.224:52173 67.134.74.224:52173 204.152.184.134:80 [lo=2943781408 high=2943846943 win=33304 modulator=0 wscale=1] [lo=3255565389 high=3255629101 win=65535 modulator=0 wscale=0] 4:4 A seq=3255634893 ack=2943781408 len=1448 ackskew=0 pkts=21109:24835 dir=in,rev >> pf: State failure on: 1 | > This means the web server is trying to send data to the client that is > out of (what pf thinks is legal for) its window. > How are you disconnecting the master? Does this occur when you physically > disconnect the ethernet cable towards the server first? I've had my test TCP session hang by using both reboot and shutdown -r and also by dropping the master into the kernel debugger and then after a few minutes "cont"inuing. > Ryan, do we address this, or is it just a rare but expected case that this > might occur? Or did I miss anything and this shouldn't occur for some reason? It doesn't see to rare to me. My test firewalls are forwarding packets for a single TCP session. (A fetch of a FreeSBIE ISO.) Given two hours I'm confident I can cause the problem to occur. (Admiditly in those two hours I'm causing a failover far more often that production firewalls should see in a year or two. But, and maybe I'm guessing wrong here, I would expect that if a single TCP stream has problems, I'm very likely to see a problem with multiple established sessions.) Thanks for the response. If you have suggestions on further testing that I should do, I'm game. Far easier now than after they go production. (If they do with pfsync.)