I'm trying to set a longer timeout on a udp state, and for some reason it
seems to be disappearing before the expiration 8-/.
There are 3 rules involved:
pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP keep
state (udp.multiple 360)
pass out quick on $ext_if proto udp tagged VOIP_UDP keep state (udp.multiple
360)
match out on $ext_if from 10.128.0.0/16 nat-to { $ext_vip } sticky-address
I turned on pf debugging, when the connection is created I see:
May 17 15:36:39 lisa /bsd: pf: key search, in on vlan110: UDP wire: (0)
10.128.110.73:9430 198.148.6.55:9430
May 17 15:36:39 lisa /bsd: pf: key setup: UDP wire: (0) 10.128.110.73:9430
198.148.6.55:9430 stack: (0) -
May 17 15:36:39 lisa /bsd: pf: key search, out on em2: UDP wire: (0)
198.148.6.55:9430 10.128.110.73:9430
May 17 15:36:39 lisa /bsd: pf: key setup: UDP wire: (0) 198.148.6.55:9430
96.251.22.157:63529 stack: (0) 198.148.6.55:9430 10.128.110.73:9430
and there are state entries:
all udp 198.148.6.55:9430 <- 10.128.110.73:9430 MULTIPLE:MULTIPLE
age 00:02:21, expires in 00:05:00, 29:29 pkts, 14166:18501 bytes, rule 63
all udp 96.251.22.157:55205 (10.128.110.73:9430) -> 198.148.6.55:9430
MULTIPLE:MULTIPLE
age 00:02:21, expires in 00:05:00, 29:29 pkts, 14166:18501 bytes, rule 48,
source-track
However, right after the 5 minute mark the states disappear. The last pf log
entries are;
May 17 15:38:47 lisa /bsd: pf: key search, in on vlan110: UDP wire: (0)
10.128.110.73:9430 198.148.6.55:9430
May 17 15:38:47 lisa /bsd: pf: key search, out on em2: UDP wire: (0)
198.148.6.55:9430 10.128.110.73:9430
I was hoping to see something about expiration in the pf debug logs but
this is all that appears to be available.
Any idea why these states would go away when there is 5 minutes left
before the expiration?
Thanks much...
