Fwd: pf + pfsync + carp testing ...
Daniel Hartmeier
daniel at benzedrine.cx
Thu Mar 3 01:38:12 GMT 2005
On Wed, Mar 02, 2005 at 05:19:38PM -0600, Matthew Grooms wrote:
> On a slightly more depressing note, I don't think that state via
> pfsync seems to be working right between the two firewalls. Sometimes (
> maybe every 1 out of 4 tries ) when the interfaces fail over, the
> traffic flow stops. The reason why I believe it is a state sync issue is
> that new connections can always be opened even while the previously
> opened connections are stalled. This doesn't always happen when an
> interface is going down either. It happens just as often when an
> interface is coming back up and reclaims a MASTER state. Any ideas?
It would help isolate the problem if you can provide the output of pfctl
-vvss for one such stalling connection on both boxes, for comparison.
The obvious requirement is that the state is actually present on the
secondary box. If it is present, maybe we spot an inconsistency between
the two state entries. If they look the same, maybe you can get a
tcpdump -vvvS for the stalled connection (which matches the state
entry).
If the state is not present on the secondary, a tcpdump -nvvvei pfsync0
over the time between when the state was created on the primary and when
it should have arrived at the secondary would help.
Daniel
More information about the freebsd-pf
mailing list