From owner-freebsd-questions@freebsd.org  Fri Oct 21 14:00:40 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 526D6C1B0DB
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 21 Oct 2016 14:00:40 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from sender163-mail.zoho.com (sender163-mail.zoho.com
 [74.201.84.163])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 462F6F64
 for <freebsd-questions@freebsd.org>; Fri, 21 Oct 2016 14:00:40 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by
 mx.zohomail.com with SMTPS id 1477058430518853.273739376692;
 Fri, 21 Oct 2016 07:00:30 -0700 (PDT)
Date: Fri, 21 Oct 2016 16:00:26 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-questions@freebsd.org
Subject: Re: 10.3 pfsync large difference between number of states on two
 firewalls
Message-ID: <20161021160026.73cac1a2@mr185083>
In-Reply-To: <20161021155728.14833c0b@mr185083>
References: <20161021155728.14833c0b@mr185083>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 14:00:40 -0000

Le Fri, 21 Oct 2016 15:57:28 +0200,
Patrick Lamaiziere <patfbsd@davenulle.org> a écrit :

> Hello,
> 
> I have a pair of firewalls with carp, pf and pfsync and I see a large
> difference between the number of states (pfctl -si, current entries)
> on the firewalls.
> 
> pf1 is the master with 807598 states,
> pf2 is the backup with 1696258 states 
> 
> There is only small traffic from / to the firewalls that can explain
> this difference.
> 
> I'm looking on the states (but it's not easy on real traffic) and I've
> found some states not present in pf1, but still present in pf2.
> 
> One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age
> around  23:55:00 (the default of a tcp timeout) and I can confirm that
> the tcp session was ended (with netflow traces) and started 5 minutes
> ago.
> 
> So it looks like sometimes pf2 misses (or pf1 does not send) some
> state updates.
> 
> I say "sometimes" because with the rates of states inserts here, I
> think that if this is always the case, the states table on pf2 would
> have already exploded.
> 
> I would like to know if someone is seeing this kind of difference.
> Even an "it works for me" will be helpful.

Forget to say :

The physical sync link is a 10 Gbps link with around 20 kpps on load, I
don't think the issue is on this link.


Regards,