Date: Fri, 21 Oct 2016 16:00:26 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-questions@freebsd.org Subject: Re: 10.3 pfsync large difference between number of states on two firewalls Message-ID: <20161021160026.73cac1a2@mr185083> In-Reply-To: <20161021155728.14833c0b@mr185083> References: <20161021155728.14833c0b@mr185083>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Fri, 21 Oct 2016 15:57:28 +0200, Patrick Lamaiziere <patfbsd@davenulle.org> a écrit : > Hello, > > I have a pair of firewalls with carp, pf and pfsync and I see a large > difference between the number of states (pfctl -si, current entries) > on the firewalls. > > pf1 is the master with 807598 states, > pf2 is the backup with 1696258 states > > There is only small traffic from / to the firewalls that can explain > this difference. > > I'm looking on the states (but it's not easy on real traffic) and I've > found some states not present in pf1, but still present in pf2. > > One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age > around 23:55:00 (the default of a tcp timeout) and I can confirm that > the tcp session was ended (with netflow traces) and started 5 minutes > ago. > > So it looks like sometimes pf2 misses (or pf1 does not send) some > state updates. > > I say "sometimes" because with the rates of states inserts here, I > think that if this is always the case, the states table on pf2 would > have already exploded. > > I would like to know if someone is seeing this kind of difference. > Even an "it works for me" will be helpful. Forget to say : The physical sync link is a 10 Gbps link with around 20 kpps on load, I don't think the issue is on this link. Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161021160026.73cac1a2>