From owner-freebsd-net@FreeBSD.ORG  Fri May 26 22:19:15 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 62DB816A632
	for <freebsd-net@freebsd.org>; Fri, 26 May 2006 22:19:15 +0000 (UTC)
	(envelope-from fox@verio.net)
Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net
	[129.250.36.44])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0CC9943D48
	for <freebsd-net@freebsd.org>; Fri, 26 May 2006 22:19:14 +0000 (GMT)
	(envelope-from fox@verio.net)
Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net)
	by dfw-smtpout4.email.verio.net with esmtp id 1FjkeH-0007ce-VE
	for freebsd-net@freebsd.org; Fri, 26 May 2006 22:19:13 +0000
Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net)
	by dfw-mmp4.email.verio.net with esmtp id 1FjkeH-0002ya-S2
	for freebsd-net@freebsd.org; Fri, 26 May 2006 22:19:13 +0000
Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000)
	id 3DE148E2E7; Fri, 26 May 2006 17:19:10 -0500 (CDT)
Date: Fri, 26 May 2006 17:19:10 -0500
From: David DeSimone <fox@verio.net>
To: freebsd-net@freebsd.org
Message-ID: <20060526221909.GA31000@verio.net>
Mail-Followup-To: freebsd-net@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
User-Agent: Mutt/1.5.9i
Subject: How to force full sync using pfsync?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 26 May 2006 22:19:16 -0000

I have a strange problem between two PF firewalls in a cluster, with
pfsync enabled.

When I reboot one of the cluster members, the state tables do
synchronize and populate with some of the same connection states, but
not all of them.

In particular, long-lived, extant connections seem to never show up in
the rebooted member's state table.

I figured that doing ifconfig down/up would send some sort of "full
sync" message between the two members, to cause the entire state table
to be sent in bulk.  But, no such behavior seems to come about.

It seems to me that only connection updates are being sent between the
cluster members.  There is no "full sync" done at startup.

Do I misunderstand?  Is there a misconfiguration that can lead to this
strange behavior?

-- 
David DeSimone == Network Admin == fox@verio.net
  "It took me fifteen years to discover that I had no
   talent for writing, but I couldn't give it up because
   by that time I was too famous.  -- Robert Benchley