On 2014-10-09, Nicolas Christener <[email protected]> wrote: > Besides those steps we also disabled one of the boxes by stopping ospf > and removing the carp interfaces - however, the disconnects didn't go > away.
I was going to suggest that you might have asymmetric routing causing "split states" i.e. one firewall seeing inbound packets, one seeing outbound, in which case "ifconfig pfsync0 defer" might help, but (assuming you weren't just seeing issues from connections which had been setup before disabling one firewall) the above test would seem to rule that out .. What does the output of "sysctl kern.netlivelocks net.inet.ip.ifq" look like?
