10.3 pfsync large difference between number of states on two firewalls

[Patrick Lamaiziere]

(trying freebsd-pf)

Hello,

I have a pair of firewalls with carp, pf and pfsync and I see a large
difference between the number of states (pfctl -si, current entries) on
the firewalls. The pfsync link is a 10 GB link witht around 20 Kpps on
load (don't think it's the issue).

pf1 is the master with 807598 states,
pf2 is the backup with 1696258 states 

There is only small traffic from / to the firewalls that can explain
this difference.

I'm looking on the states (but it's not easy on real traffic) and I've
found some states not present in pf1, but still present in pf2.

One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age
around  23:55:00 (the default of a tcp timeout) and I can confirm that
the tcp session was ended (with netflow traces) and started 5 minutes
ago.

So it looks like sometimes pf2 misses (or pf1 does not send) some state
updates.

I say "sometimes" because with the rates of states inserts here, I think
that if this is always the case, the states table on pf2 would have
already exploded.

I would like to know if someone is seeing this kind of difference. Even
an "it works for me" will be helpful.

Thanks, regards.