From owner-freebsd-pf@FreeBSD.ORG Tue Feb 6 22:18:49 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9FB7D16A400 for ; Tue, 6 Feb 2007 22:18:49 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 345AF13C48D for ; Tue, 6 Feb 2007 22:18:48 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so294188nfc for ; Tue, 06 Feb 2007 14:18:47 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=aXUrmWFqbK0JTAL0KqoKwzHQ0HbrMGE6Qum3kNTiEUTV3n4Tc8hfOYM0p9fH8dfE0kbbihE4hykVM0VXNRrDS00sY9oLN+A/2gcKC9rC+4luCHDMHYeZIkIvvYZhpwG54hnyD+lNdTu/YBC0Fqiax5ApyUVRK0FV2fIHkDuwj6s= Received: by 10.82.153.5 with SMTP id a5mr5316824bue.1170798716176; Tue, 06 Feb 2007 13:51:56 -0800 (PST) Received: by 10.82.150.17 with HTTP; Tue, 6 Feb 2007 13:51:55 -0800 (PST) Message-ID: Date: Tue, 6 Feb 2007 13:51:55 -0800 From: "Kian Mohageri" To: "Michael K. Smith - Adhost" In-Reply-To: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> MIME-Version: 1.0 References: <17838240D9A5544AAA5FF95F8D52031601A8BD24@ad-exh01.adhost.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PFSync Not Working Correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 22:18:49 -0000 On 2/6/07, Michael K. Smith - Adhost wrote: > > Hello All: > > I have two 6.2 RELEASE servers working in failover mode as PF Load > Balancers. When the MASTER box is failed (through reboot or interface > shutdown, etc.) the BACKUP box becomes MASTER as expected, but > connections that existed through the MASTER before the failover do not > transfer as expected to the new MASTER. New connections work > immediately. > > When I issue a 'pfctl -vvss' the established connection shows up > correctly in the state tables on both machines, so I would expect the > established connection to work immediately upon failover. > > If anyone has any insights I'd be grateful. I can also post any > relevent output or config snippets if someone thinks they would help. Increase pf verbosity, and also tcpdump -i pflog0 (you do block log, right?) on your new MASTER when connections are failing. That will tell you if there is a state mismatch going on when connections fail over. You first want to make sure the mid-connection packets are even reaching the new master. -- Kian Mohageri