Date: Fri, 07 Mar 2008 10:26:03 -0500 From: Chris Marlatt <cmarlatt@rxsec.com> To: Lorenz Helleis <lorenzhelleis@yahoo.com.br> Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets Message-ID: <47D15E8B.8040207@rxsec.com> In-Reply-To: <659091.90986.qm@web53704.mail.re2.yahoo.com> References: <659091.90986.qm@web53704.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lorenz Helleis wrote: > hello. > > I have a firewall with 75.000 simultaneous conections, and i set the limit to 100.000. > > I think the hardware is OK, but when increase the traffic on the network, some connections is dropped. I did not increase other value, like table, src-nodes.... How do I know if is everthing ok with the other values ? > > what happen if the number of connections touch the limit of 100.000 ? it will drop the idle conections ? or what ? > From my experience new connections will appear to timeout as PF has no more sessions available for new connections. As sessions die off organically new connections will be permitted but there is nothing actively killing old / idle connections to make way for new sessions if the limit is reached. Depending on how much memory you have you should be fine increasing the max session limit. I've had some of my firewalls over 1,000,000 sessions without a problem. You may want to check your switch for errors and watch your interface (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of cpu usage are you seeing when you start dropping the packets? Regards, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47D15E8B.8040207>