Date: Wed, 5 Sep 2007 19:41:24 -0500 From: "Bill Marquette" <bill.marquette@gmail.com> To: "Rian Shelley" <rians@cc.usu.edu> Cc: freebsd-pf@freebsd.org Subject: Re: pfsync errors Message-ID: <55e8a96c0709051741y4a21bba1ycc1e65d2b7c4332@mail.gmail.com> In-Reply-To: <e667a90b0709051331x35cafdfw50ee0be40969aa30@mail.gmail.com> References: <e667a90b0709051331x35cafdfw50ee0be40969aa30@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/5/07, Rian Shelley <rians@cc.usu.edu> wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own. I'll have to run our scripts again, but I'm pretty sure we were seeing state deletions. But we certainly were not seeing 1 for 1 insert/deletion messages (one of our clusters frontends the web servers so we have LOTS of short lived states). > I'd like to add myself as another datapoint for this problem. > Currently I am getting about 15k send errors per second, and im up to > 1.8 million states on the secondary firewall :D Nice. How much RAM is that eating? I'm happy to hear that FreeBSD seems to be able to handle a state count this high. What's the state limit in your config? --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0709051741y4a21bba1ycc1e65d2b7c4332>