Res: Dropped Packets
Lorenz Helleis
lorenzhelleis at yahoo.com.br
Fri Mar 7 16:39:34 UTC 2008
I don't think that is a hardware problem, sometimes the "congestion rate" increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I don't know if it is normal...
I think that the conections is being droped when increase a lot the number of packets on the network.
can you tell me about your firewall ? I will need to install a biggest one here, and I'm a little afraid to do. Can you show me some configuration? the traffic of you network?, hardware? conections ?
look some configurations.... do i need to increase something ?
# pfctl -sm
states hard limit 100000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
# top
load averages: 0.20, 0.12, 0.09 13:29:40
35 processes: 34 idle, 1 on processor
CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.7% idle
CPU1 states: 0.1% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.7% idle
# vmstat -i
interrupt total rate
irq0/clock 257506609 199
irq0/ipi 183393879 142
irq81/em0 8638587188 6706
irq83/skc0 6011660768 4667
irq80/fxp0 2292732543 1779
irq64/ahc0 7012560 5
irq112/pckbc0 8 0
Total 17390893555 13501
# pfctl -si
State Table Total Rate
current entries 5005
searches 30026832082 441000.4/s
inserts 406964726 5977.0/s
removals 406959721 5977.0/s
Counters
match 417436387 6130.8/s
bad-offset 0 0.0/s
fragment 1939 0.0/s
short 154 0.0/s
normalize 34858 0.5/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 834349 12.3/s
ip-option 24 0.0/s
proto-cksum 5572 0.1/s
state-mismatch 491286 7.2/s
Provérbios 1:27
Mas Deus escolheu as coisas loucas deste mundo para confundir as
sábias; e Deus escolheu as coisas fracas deste mundo para confundir as
fortes;
----- Mensagem original ----
De: Chris Marlatt <cmarlatt at rxsec.com>
Para: Lorenz Helleis <lorenzhelleis at yahoo.com.br>
Cc: freebsd-pf at freebsd.org
Enviadas: Sexta-feira, 7 de Março de 2008 12:26:03
Assunto: Re: Dropped Packets
Lorenz Helleis wrote:
> hello.
>
> I have a firewall with 75.000 simultaneous conections, and i set the limit to 100.000.
>
> I think the hardware is OK, but when increase the traffic on the network, some connections is dropped. I did not increase other value, like table, src-nodes.... How do I know if is everthing ok with the other values ?
>
> what happen if the number of connections touch the limit of 100.000 ? it will drop the idle conections ? or what ?
>
From my experience new connections will appear to timeout as PF has no
more sessions available for new connections. As sessions die off
organically new connections will be permitted but there is nothing
actively killing old / idle connections to make way for new sessions if
the limit is reached.
Depending on how much memory you have you should be fine increasing the
max session limit. I've had some of my firewalls over 1,000,000 sessions
without a problem.
You may want to check your switch for errors and watch your interface
(netstat -I IFACE -nd 1) to see when/where your drops are. What kind of
cpu usage are you seeing when you start dropping the packets?
Regards,
Chris
Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento!
http://br.mail.yahoo.com/
More information about the freebsd-pf
mailing list