From owner-freebsd-pf@FreeBSD.ORG Wed Aug 22 20:11:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BAE0A16A473 for ; Wed, 22 Aug 2007 20:11:42 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 4005413C4A6 for ; Wed, 22 Aug 2007 20:11:41 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so249789nfb for ; Wed, 22 Aug 2007 13:11:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=tNjcpdPpnKNHp047Hi4G5CL9fagyScFoZ2ntD1Cgh623NC5suv5x8Zbjpkc3ZSa5lt172TIcCYJaXFsKF5BFSz8hcXnlR/Zb4aTUJ5ucr8wnPXXIqNF1vG4KJJLQ536L/AAY/GFA8gWu9syv1731rkTuvy3K7CorsG4pU5fPMvA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dHJwoaSm/CprPrTLUz/qGsm3q2WplJzWY4q9aa+7d/EL9k6qBtBFxbCkrqUXjRP1V/UDZm2GaPw1S61dB8NolfLSgvB4dD7Z1oFjP3gsAYouSsVbVs7PGhx2J4cpr21GrH/zWJPRsoPy8/YKh23mYvgRII/RXzLTwUYx3TNRFOU= Received: by 10.78.147.6 with SMTP id u6mr689685hud.1187811746393; Wed, 22 Aug 2007 12:42:26 -0700 (PDT) Received: by 10.78.15.17 with HTTP; Wed, 22 Aug 2007 12:42:25 -0700 (PDT) Message-ID: <55e8a96c0708221242h2d5e7d15q847e6fac7cf60554@mail.gmail.com> Date: Wed, 22 Aug 2007 14:42:26 -0500 From: "Bill Marquette" To: "freebsd-pf@freebsd.org" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: pfsync errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 20:11:42 -0000 For the last two days I've been troubleshooting a wierd issue where my secondary firewall in a pfsync/carp cluster isn't maintaining a state table similar in size to the primary - it's slowly increasing to the max size. I think I've finally tracked it down to ip_output() returning an error, but at this point I'm lost. The interfaces show no errors, this box happily ran OpenBSD for the last three years with no similar errors and has only started exhibiting this behavior after converting it. I'm seeing this on multiple boxes, but am spending my time troubleshooting just one. Any advice/assistance would be greatly appreciated, I'm at a loss and this is affecting my production environment. We're running RELENG_6_2, nics are Intel PRO/1000's (copper, but the cat-5e cable is a direct run to the 6513 switch one cabinet over - 15ft cable). This is a netstat from the primary machine, the secondary has been failed over to a couple times and looks similar (although interestingly the cluster seems to handle being on the secondary box better) # netstat -s -p pfsync pfsync: 409302985 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for bad ttl 0 packets shorter than header 0 packets discarded for bad version 0 packets discarded for bad HMAC 0 packets discarded for bad action 0 packets discarded for short packet 0 states discarded for bad values 0 stale states 16980281 failed state lookup/inserts 1541416698 packets sent (IPv4) 0 packets sent (IPv6) 0 send failed due to mbuf memory error 182754275 send error # netstat -i -Iem2 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll em2 1500 00:04:23:a6:b7:be 409328713 27 1359271127 0 0 em2 1500 192.168.100.2 l4dupfw140-sync 409327567 - 1359270884 - - Thanks --Bill