-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 16 Dec 2004 20:54:54 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
> > Things are nearly fully functional for me now, however, I don't seem
> > to have perfect throughput when a box is shot in the head, sometimes
> >
> > things
> > work OK for the client, and some times they don't and connections
> > either
> > lag to the point of timeout, or just drop and cant get
> > re-established.
>
> There is probably a good reason for this, but might be hard to
> determine a) for an experienced user without access to your network,
> or b) for an inexperienced user *with* access to your network. ;-)
>
> I suggest monitoring your interfaces continually ("while true; do
> ifconfig -a | grep carp; sleep 1; clear; done") while you recreate
> your problems. It wouldn't hurt to also monitor your pfsync traffic
> for hiccups.
>
> I usually experience ~3 seconds of packet loss during a failover.
> Recovery is always instantaneous (no loss). Regardless, I've yet to
> lose any TCP connections. I'd suggest you try to isolate the
> questionable behavior.
Sometimes the packet loss does not occur and the packets are merely
delayed, usually taking ~5 seconds, and then they all show up (thats
with ICMP ping). But other connections which require a steady stream may
not recover during the buffer.
I was expecting something a little more reliable, but for a OpenSource
package, its kick ass, some of the time.
> > Sorry if I sound like a "Loinux whiny", I'm almost there, just need
> > a few more pointers.
> >
> > 1) If I reduce advskew to something like 10 on machine A and 12 on
> > machine b, would that increase the stability of the firewalls?
>
> I suggest larger advskew differences. You can only go as high as the
> size of your segment (256-1 for /24, for example). If you're only
> using 2 firewalls, I suggest advskews of 0 and 100. This isn't
> documented anywhere, and is only based on my own experience, so YMMV.
>
> > 2) Why does it seem that when the master returns from me issuing a
> > reboot does the connection for the client appear to get shaky again?
>
> No clue, you're not providing anything but anecdotal evidence.
I will spend more time on this. Thanks for the help thus far.
- --
/-- _| | Regards. Please note, my PGP key ID has changed.
|-- / | | If you are planning on sending me something encrypted
\__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBwyBVjtZArFPJ/GwRAsTCAJ44vANhJPmOZujgMvWNElWwG5uIfwCfaiMB
B8pTMdjAwlcvh77j8DYKiSw=
=r0zl
-----END PGP SIGNATURE-----
