Date: Wed, 5 Sep 2007 14:31:10 -0600 From: "Rian Shelley" <rians@cc.usu.edu> To: freebsd-pf@freebsd.org Subject: pfsync errors Message-ID: <e667a90b0709051331x35cafdfw50ee0be40969aa30@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
As far as I can tell, am having the same problem described by bill marquette. I have two firewalls using pfsync, where the secondary firewall just increases its state count steadily. I created a simple libpcap program to watch the pfsync headers flowing by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which are the ones that delete state. As far as i can tell, states are pumped across the link, but never removed and are left to time out on their own. I'd like to add myself as another datapoint for this problem. Currently I am getting about 15k send errors per second, and im up to 1.8 million states on the secondary firewall :D # while true; do netstat -s -p pfsync | grep send\ error; sleep 1; done 2096018860 send error 2096036208 send error 2096052950 send error 2096070675 send error 2096089621 send error 2096106671 send error 2096121646 send error 2096138996 send error 2096158012 send error 2096177555 send error 2096194727 send error 2096216490 send error 2096238626 send error [root@secondary /]# pfctl -si Status: Enabled for 1 days 00:06:01 Debug: Urgent Hostid: 0x97bb3fdc State Table Total Rate current entries 1877429 [root@primary /]# pfctl -si Status: Enabled for 2 days 06:54:26 Debug: Urgent Hostid: 0x85c326db State Table Total Rate current entries 172889
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e667a90b0709051331x35cafdfw50ee0be40969aa30>