Hi Dave, > I've got two firewalls in a CARP/pfsync configuration running a > 3.5-snapshot from July.
I'm seeing the same symptoms as you on this, presently running -current as of a few days back, but first noticed the problem with a mid-July snapshot - which is what I was current when I got pfsync working with my adaptive timeouts fix. Generally for me though, if it is going to happen, it happens immediately after a restart of the primary firewall, after the bulk updates complete, and around the time that the machine becomes the CARP master. Were you seeing the problem with 3.5-stable? In case it is significant, my machines have Intel Gigabit (em) NICs in them. > I had a firewall on another machine with the exact same ruleset and > no problems. .. but without CARP/pfsync on that machine? If so, same here again. > If I reboot the firewall, the problem clears up. The other strange > thing is the my carp backup machine has the exact same symptoms! By this do you mean that while your primary machine is displaying these symptoms you can't ping localhost on the backup machine, and as soon as you reboot the primary machine the backup machine can ping localhost again? I haven't noticed this behaviour locally, but I also haven't been testing for it - will do though the next time I restart my primary and the behaviour recurs. > Here's what is looks like when it is hosed: > State Table Total Rate > current entries 11 > searches 2253992 6956.8/s > inserts 1301 4.0/s > removals 1290 4.0/s > The rates are the things that look crazy to me. Otherwise, the > machine seems perfectly happy. Lots of memory, zero cpu load. In my environment 7000 searches per second isn't very high, so I haven't paid any attention to the rate of searches. (These numbers seem inflated right after a bulk sync, anyway). In my case if I do a pfctl -vvsr I thought I saw lots of increases of the evaluations counters for rules but few match counters that I expected to go up were doing so - do you see the same? Regards Chris
