Date: Fri, 20 Jan 2017 21:48:51 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Bakul Shah" <bakul@bitblocks.com> Cc: "Alan Somers" <asomers@freebsd.org>, "FreeBSD Net" <freebsd-net@freebsd.org> Subject: Re: pf & NAT issue Message-ID: <B36B8AAB-3E8C-4DAD-98F3-B4A18EE74CE5@FreeBSD.org> In-Reply-To: <20170120203106.CD2C8124AEA4@mail.bitblocks.com> References: <20170120083555.ACCF9124AEA4@mail.bitblocks.com> <7C29D00C-94C0-4550-B1B2-CE307482B544@FreeBSD.org> <CAOtMX2hTcEkw_WzgtcEEipGY391zB=skrk7O=dknRMMG%2BDa%2BBA@mail.gmail.com> <20170120203106.CD2C8124AEA4@mail.bitblocks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Jan 2017, at 21:31, Bakul Shah wrote: > $ pfctl -s info > Status: Enabled for 167 days 13:40:11 Debug: Urgent > > State Table Total Rate > current entries 0 > searches 2870986757 198.3/s # this > seems high... > inserts 3428240 0.2/s > removals 3428240 0.2/s > Counters > match 1482741914 102.4/s > bad-offset 0 0.0/s > fragment 1 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 31 0.0/s > proto-cksum 0 0.0/s > state-mismatch 28931 0.0/s You gave a decent number of state-mismatch errors here. It’s worth checking if that number increments whenever you see a dropped NAT connection. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B36B8AAB-3E8C-4DAD-98F3-B4A18EE74CE5>