adaptive timeouts fix. Generally for me though, if it is going to happen, it happens immediately after a restart of the primary firewall, after the bulk updates complete, and around the time that the machine becomes the CARP master. Were you seeing the problem with 3.5-stable?
I have seen it after the machines have been up for 2 days. I've seen it after the machines have been up for 47 minutes.
In case it is significant, my machines have Intel Gigabit (em) NICs in them.
I have fxp's and sf's.
... but without CARP/pfsync on that machine? If so, same here again.I had a firewall on another machine with the exact same ruleset and no problems.
That is correct, without CARP/pfsync.
If I reboot the firewall, the problem clears up. The other strange thing is the my carp backup machine has the exact same symptoms!
By this do you mean that while your primary machine is displaying these symptoms you can't ping localhost on the backup machine, and as soon as
Exactly.
you reboot the primary machine the backup machine can ping localhost again?
I haven't tried that. But after I reboot both machines they are fine for a while.
In my environment 7000 searches per second isn't very high, so I haven't paid any attention to the rate of searches. (These numbers seem inflated right after a bulk sync, anyway). In my case if I do a pfctl -vvsr I thought I saw lots of increases of the evaluations counters for rules but few match counters that I expected to go up were doing so - do you see the same?
Fair enought about the searches. My only frame of reference is a stable machine. I will have to look at the evaluation counters when they are hosed, but just looking at them now, there don't seem to make much sense to me without a frame of reference. :(
I'm feeling like this has to be related to pfsync somehow. It really looks like the firewall has rules that don't show with pfctl -sr but actually just default deny everything that doesn't already have a state. It just makes no sense.
-Dave
--
Dave Mangot [EMAIL PROTECTED] DHAP Digital, Inc. http://www.dhapdigital.com/ San Francisco, CA 415.278.5013
