On Thu, Dec 14, 2006 at 02:47:16PM -0800, Michael K. Smith - Adhost wrote: > Our problem is with state maintenance upon failover. It appears the > state tables are properly synced between the devices but, when we fail > to our secondary firewall, established connections through the firewalls > fail. We have replicated this behavior with port 25 and 110.
Can you further explain what fails? Do connections established prior to the failover stall after the failover? After the failover, new connections cannot be established (connection times out, or is reset)? After the failover, new connections can be established, but the "sticky-address" option is not honoured, so new connections go to the wrong server, breaking stuff like smtp-after-pop? For the first two cases, please enable debug logging (pfctl -xm), reproduce the problem for one connection, then check /var/log/messages for entries from pf, and post them. Also run pfctl -vvss before (on the primary) and after (on the secondary) and post the state entry that fails. The last case is currently unsolvable, as the information about which source address is assigned which redirection address is not sync'd, afaik. Daniel
