Hello Daniel: I've included responses in-line below.
-----Original Message----- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] Sent: Friday, December 15, 2006 12:16 AM To: Michael K. Smith - Adhost Cc: [email protected] Subject: Re: Problems with PF Sync. On Thu, Dec 14, 2006 at 02:47:16PM -0800, Michael K. Smith - Adhost wrote: > Our problem is with state maintenance upon failover. It appears the > state tables are properly synced between the devices but, when we fail > to our secondary firewall, established connections through the firewalls > fail. We have replicated this behavior with port 25 and 110. >> Can you further explain what fails? >>Do connections established prior to the failover stall after the >> failover? Exactly. Here's the process: 1) Create TCP connection through PF Master on port 25 to server on back net 2) Issue HELO command and receive response 3) Fail to PF Backup (we've done this with an interface down and reboot with the same outcome). 4) Reissue HELO command 5) Receive no response, but we are also not disconnected. 6) Cancel connection and re-initiate. 7) Connection is re-established immediately. >> After the failover, new connections cannot be established (connection >> times out, or is reset)? After the failover, new connection work flawlessly. >> After the failover, new connections can be established, but the >> "sticky-address" option is not honoured, so new connections go to the >> wrong server, breaking stuff like smtp-after-pop? We haven't gotten that far yet. >> For the first two cases, please enable debug logging (pfctl -xm), >> reproduce the problem for one connection, then check /var/log/messages >> for entries from pf, and post them. Also run pfctl -vvss before (on the >> primary) and after (on the secondary) and post the state entry that >> fails. Will do. >> The last case is currently unsolvable, as the information about which >> source address is assigned which redirection address is not sync'd, >> afaik. Thanks, Mike
