Hello Daniel (and all): Thanks for the input below. The rules were indeed out of sync, but it turns out that wasn't the issue. One simple line was breaking it for me:
scrub all reassemble tcp fragment reassemble Once I removed that, it all works flawlessly! Regards, Mike > -----Original Message----- > From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 06, 2007 1:16 PM > To: Michael K. Smith - Adhost > Cc: [email protected] > Subject: Re: Problems with PF Sync (FreeBSD 6.2) > > On Fri, Feb 02, 2007 at 02:12:12PM -0800, Michael K. Smith - Adhost > wrote: > > > self tcp 10.211.100.110:110 <- x.x.x.164:110 <- x.x.x.98:52857 > > ESTABLISHED:ESTABLISHED > > [526026435 + 65535] wscale 1 [2600240610 + 65665] wscale 0 > > age 00:00:03, expires in 04:59:57, 3:2 pkts, 168:154 bytes, rule 9 > > id: 45c3ac4500000080 creatorid: 70b9fa06 > > What is rule 9 on the master, precisely? > > # pfctl -gsr | grep -A 2 '@9 ' > > The state entry doesn't get associated with a corresponding rule on the > backup (because the rulesets are not identical), but with the default > rule instead. This means that aspects of the state entry might stop > working on failover (like route-/reply-to or such), effectively > breaking > the connection. > > Daniel
