From owner-freebsd-questions@freebsd.org Fri Oct 21 13:57:48 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 824B6C1BFD8 for ; Fri, 21 Oct 2016 13:57:48 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from sender163-mail.zoho.com (sender163-mail.zoho.com [74.201.84.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68C85E4D for ; Fri, 21 Oct 2016 13:57:47 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by mx.zohomail.com with SMTPS id 1477058255370914.8846305710955; Fri, 21 Oct 2016 06:57:35 -0700 (PDT) Date: Fri, 21 Oct 2016 15:57:28 +0200 From: Patrick Lamaiziere To: freebsd-questions@freebsd.org Subject: 10.3 pfsync large difference between number of states on two firewalls Message-ID: <20161021155728.14833c0b@mr185083> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2016 13:57:48 -0000 Hello, I have a pair of firewalls with carp, pf and pfsync and I see a large difference between the number of states (pfctl -si, current entries) on the firewalls. pf1 is the master with 807598 states, pf2 is the backup with 1696258 states There is only small traffic from / to the firewalls that can explain this difference. I'm looking on the states (but it's not easy on real traffic) and I've found some states not present in pf1, but still present in pf2. One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age around 23:55:00 (the default of a tcp timeout) and I can confirm that the tcp session was ended (with netflow traces) and started 5 minutes ago. So it looks like sometimes pf2 misses (or pf1 does not send) some state updates. I say "sometimes" because with the rates of states inserts here, I think that if this is always the case, the states table on pf2 would have already exploded. I would like to know if someone is seeing this kind of difference. Even an "it works for me" will be helpful. Thanks, regards.