10.3 pfsync large difference between number of states on two firewalls
Patrick Lamaiziere
patfbsd at davenulle.org
Fri Oct 21 14:00:40 UTC 2016
Le Fri, 21 Oct 2016 15:57:28 +0200,
Patrick Lamaiziere <patfbsd at davenulle.org> a écrit :
> Hello,
>
> I have a pair of firewalls with carp, pf and pfsync and I see a large
> difference between the number of states (pfctl -si, current entries)
> on the firewalls.
>
> pf1 is the master with 807598 states,
> pf2 is the backup with 1696258 states
>
> There is only small traffic from / to the firewalls that can explain
> this difference.
>
> I'm looking on the states (but it's not easy on real traffic) and I've
> found some states not present in pf1, but still present in pf2.
>
> One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age
> around 23:55:00 (the default of a tcp timeout) and I can confirm that
> the tcp session was ended (with netflow traces) and started 5 minutes
> ago.
>
> So it looks like sometimes pf2 misses (or pf1 does not send) some
> state updates.
>
> I say "sometimes" because with the rates of states inserts here, I
> think that if this is always the case, the states table on pf2 would
> have already exploded.
>
> I would like to know if someone is seeing this kind of difference.
> Even an "it works for me" will be helpful.
Forget to say :
The physical sync link is a 10 Gbps link with around 20 kpps on load, I
don't think the issue is on this link.
Regards,
More information about the freebsd-questions
mailing list