Date: Fri, 7 Mar 2008 08:39:32 -0800 (PST) From: Lorenz Helleis <lorenzhelleis@yahoo.com.br> To: Chris Marlatt <cmarlatt@rxsec.com> Cc: freebsd-pf@freebsd.org Subject: Res: Dropped Packets Message-ID: <745345.9793.qm@web53704.mail.re2.yahoo.com>
next in thread | raw e-mail | index | archive | help
I don't think that is a hardware problem, sometimes the "congestion rate" =
increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I don't know if =
it is normal... =0A=0AI think that the conections is being droped when incr=
ease a lot the number of packets on the network. =0A=0A=0A=0Acan you tell m=
e about your firewall ? I will need to install a biggest one here, and I'm=
a little afraid to do. Can you show me some configuration? the traffic =
of you network?, hardware? conections ?=0A=0Alook some configurations.... d=
o i need to increase something ?=0A=0A=0A# pfctl -sm =
=
=0Astates hard limit 100000=0Asrc-nodes hard li=
mit 10000=0Afrags hard limit 5000=0Atables hard limit=
1000=0Atable-entries hard limit 200000=0A=0A=0A# top=0A=0Aload avera=
ges: 0.20, 0.12, 0.09 13:29:40=0A35=
processes: 34 idle, 1 on processor=0ACPU0 states: 0.6% user, 0.0% nice,=
0.7% system, 0.0% interrupt, 98.7% idle=0ACPU1 states: 0.1% user, 0.0%=
nice, 0.2% system, 0.0% interrupt, 99.7% idle=0A=0A# vmstat -i=0A=0Ainte=
rrupt total rate=0Airq0/clock 25=
7506609 199=0Airq0/ipi 183393879 142=0Airq81/e=
m0 8638587188 6706=0Airq83/skc0 601166=
0768 4667=0Airq80/fxp0 2292732543 1779=0Airq64/ahc0=
7012560 5=0Airq112/pckbc0 =
8 0=0ATotal 17390893555 13501=0A=0A# pfctl -s=
i=0A=0AState Table Total Rate=0A curr=
ent entries 5005 =0A searches =
30026832082 441000.4/s=0A inserts 4=
06964726 5977.0/s=0A removals 406959721 =
5977.0/s=0ACounters=0A match 417436387 =
6130.8/s=0A bad-offset 0 0.0/s=0A=
fragment 1939 0.0/s=0A short =
154 0.0/s=0A normalize =
34858 0.5/s=0A memory =
0 0.0/s=0A bad-timestamp 0 =
0.0/s=0A congestion 834349 12.3/s=0A i=
p-option 24 0.0/s=0A proto-cksum =
5572 0.1/s=0A state-mismatch =
491286 7.2/s=0A=0A=0A=0A=0A =0AProv=C3=A9rbios 1:27 =0A=
=0A Mas Deus escolheu as coisas loucas deste mundo para confundir as=0As=
=C3=A1bias; e Deus escolheu as coisas fracas deste mundo para confundir as=
=0Afortes;=0A=0A----- Mensagem original ----=0ADe: Chris Marlatt <cmarlatt@=
rxsec.com>=0APara: Lorenz Helleis <lorenzhelleis@yahoo.com.br>=0ACc: freebs=
d-pf@freebsd.org=0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03=
=0AAssunto: Re: Dropped Packets=0A=0ALorenz Helleis wrote:=0A> hello.=0A> =
=0A> I have a firewall with 75.000 simultaneous conections, and i set the l=
imit to 100.000.=0A> =0A> I think the hardware is OK, but when increase the=
traffic on the network, some connections is dropped. I did not increase =
other value, like table, src-nodes.... How do I know if is everthing ok wit=
h the other values ?=0A> =0A> what happen if the number of connections touc=
h the limit of 100.000 ? it will drop the idle conections ? or what ?=0A> =
=0A=0A From my experience new connections will appear to timeout as PF has =
no =0Amore sessions available for new connections. As sessions die off =0Ao=
rganically new connections will be permitted but there is nothing =0Aactive=
ly killing old / idle connections to make way for new sessions if =0Athe li=
mit is reached.=0A=0A=0ADepending on how much memory you have you should be=
fine increasing the =0Amax session limit. I've had some of my firewalls ov=
er 1,000,000 sessions =0Awithout a problem.=0A=0AYou may want to check your=
switch for errors and watch your interface =0A(netstat -I IFACE -nd 1) to =
see when/where your drops are. What kind of =0Acpu usage are you seeing whe=
n you start dropping the packets?=0A=0ARegards,=0A=0A Chris=0A=0A=0A=0A=
=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de es=
pa=C3=A7o para armazenamento!=0Ahttp://br.mail.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?745345.9793.qm>