Re: pfr_update_stats: assertion failed

2009-05-01 Thread askthelist
did you ever get any enlightenment on this? if so i could use some enlightenment as well. maybe the developers would be so kind and can chime in on this one as well? thanks. On Mon, Aug 4, 2008 at 9:58 PM, Insan Praja SW wrote: > Dear misc@, > After repeatedly got the "pfr_update_stats: assertion

Re: OSPFD carp interface flapping

2009-02-02 Thread askthelist
Heres a dmesg and ifconfig from backup and master firewalls... *BACKUP FIREWALL * # ifconfig lo0: flags=8049 mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 em0: flags=8843 mtu 1500

OSPFD carp interface flapping

2009-01-30 Thread askthelist
OpenBSD 4.3 --release On our backup firewall: Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 up Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 down This is corresponding with an event on our ACTIVE host which is problematic to our VPN traffic Jan 30 17:55:47 susan sasyncd[31016]: net_ctl:

net_ctl: got bad state MASTER from peer

2009-01-27 Thread askthelist
anyone know why this situation would come up in sasyncd and/or help me pinpoint the root cause? seems to correspond with a hiccup in traffic flowing through the vpn. it corrects itself after a few minutes but it has occurred on multiple occasions about the same time of day. Non-VPN traffic still fl

Re: Advbase range?

2008-09-19 Thread askthelist
On Fri, Sep 19, 2008 at 1:53 AM, Stuart Henderson <[EMAIL PROTECTED]>wrote: > On 2008-09-18, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > 2008/9/18 Cezary Morga <[EMAIL PROTECTED]> > > > >> Dnia czwartek, 18 wrze6nia 2008, napisa3e6: > >> > I understand the concept of an 8 bit integer. What I

Re: Advbase range?

2008-09-18 Thread askthelist
2008/9/18 Cezary Morga <[EMAIL PROTECTED]> > Dnia czwartek, 18 wrze6nia 2008, napisa3e6: > > I understand the concept of an 8 bit integer. What I meant by > > ambiguous is the acceptable ranges that are being used, assuming > > vhid's are an 8-bit integer as well, although thats not explicitly > >

Re: Advbase range?

2008-09-18 Thread askthelist
2008/9/18 Cezary Morga <[EMAIL PROTECTED]> > Dnia czwartek, 18 wrze6nia 2008 04:41, napisa3e6: > > what is the range of the advbase? > > > > advskew is 0-255 but vhid's are 1-255 and the man page just states > advbase > > is an 8-bit number with a default of 1, so its a bit ambiguous. > > There's

Advbase range?

2008-09-17 Thread askthelist
what is the range of the advbase? advskew is 0-255 but vhid's are 1-255 and the man page just states advbase is an 8-bit number with a default of 1, so its a bit ambiguous. I havent been able to set advbase to 0 so I am assuming its 1-255, however I have seen posts of people configuring the advba

Re: King Bula lost in time - BGP stuck in Active state upon failover

2008-09-08 Thread askthelist
On Mon, Sep 8, 2008 at 4:26 PM, Henning Brauer <[EMAIL PROTECTED]>wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2008-09-09 00:35]: > > On Mon, Sep 8, 2008 at 2:11 PM, Henning Brauer <[EMAIL PROTECTED]> > wrote: > > > phew. > > didnt mean to scare you with a false alarm... just thought that lin

Re: King Bula lost in time - BGP stuck in Active state upon failover

2008-09-08 Thread askthelist
On Mon, Sep 8, 2008 at 2:11 PM, Henning Brauer <[EMAIL PROTECTED]> wrote: > phew. didnt mean to scare you with a false alarm... just thought that line was funny when i came across it... > > session staying in Active is not an error. it waits for the connection > from the other side. it seems

King Bula lost in time - BGP stuck in Active state upon failover

2008-09-05 Thread askthelist
When I failover two openbsd 4.3 firewalls running bgp with the depend on carp directive, there are certain times where the bgp state seems to get stuck in an Active state and stays in that state in what seems an indefinate amount of time, although I have only waited up to about 5 minutes in one cas

Re: Dynamic Routing - BGP + OSPF

2008-05-06 Thread askthelist
Unfortunately I was sidelined with other projects and have not had a chance to resolve this issue I described in this post. Now I should have some time to get this resolved and I have some ideas on how I can resolve this, but I need some advice on if its the best method or if there is a more gracef

OpenBGPD 4.2 crash

2008-05-06 Thread askthelist
A long running bgp session died with the following error... there was plenty of free memory available on the box. over 1 gig free. Anyone know why this condition occurs and how I can avoid this in the future? Thanks. May 4 18:13:38 ashley bgpd[5614]: fatal in RDE: up_generate_attr: Cannot allocat

Re: Dynamic Routing - BGP + OSPF

2008-02-25 Thread askthelist
On Fri, Feb 22, 2008 at 5:50 PM, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2008-02-23, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I noticed that the two firewalls do not forward there > iBGP > > learned routes to one another. Is this intended/expected behavior? > > Ye

Dynamic Routing - BGP + OSPF

2008-02-22 Thread askthelist
I'm trying to implement full dynamic routing with eBGP + Full Mesh iBGP + OSPF in my current network and am having some issues. I have a 2 routers + 2 firewall setup with no default routes on any nodes. The 2 routers are plugged into the upstream provider and are both receiving full routes in addit

Re: CARP + MS NLB Multicast Traffic

2007-12-26 Thread askthelist
Heres a watered down and cleansed version of my pf.conf and a relevant packet capture. pf.conf file is the same on both boxes. Traffic originated externally(10.0.0.5) hitting the webserver (192.168.0.100) will be broadcast by the switch, hit the secondary firewalls internal interface, and should be

Re: CARP + MS NLB Multicast Traffic

2007-12-22 Thread askthelist
Hmm just noticed net.inet.ip.ifq.drops was skyrocketing. I suppose I'll start there. On Dec 22, 2007 4:59 PM, <[EMAIL PROTECTED]> wrote: > I'm having an issue, maybe someone has seen before or can help me with. > > Scenario: > I have 2 firewall boxes with carp on the outer and inner interfaces of

CARP + MS NLB Multicast Traffic

2007-12-22 Thread askthelist
I'm having an issue, maybe someone has seen before or can help me with. Scenario: I have 2 firewall boxes with carp on the outer and inner interfaces of our network and pfsync running between them. On the inner side of the firewalls they drop into 2 cisco 3750G switches that are stacked using stac

Re: pfctl explaination

2007-09-11 Thread askthelist
I'm having a similar issue as to whats described here. In my situation I have a table with about 200 entries. Im attempting to update that table and add about 200 more entries. I've included network blocks this time with the biggest being a /18. I update my /etc/blackhole.abuse file, then I run pf

Re: Packets Per Second Limit?

2007-05-31 Thread askthelist
ok i feel better now and i think i got a better handle on this then before. its a fast box with plenty of memory, intel pro gig eth cards (em), about 350k in the state table at the moment, with fairly small ruleset, intelligenty would probably be up for debate! I would like to think so. Thanks. On

Re: Packets Per Second Limit?

2007-05-31 Thread askthelist
On 5/31/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Depends on the byte size of the packet. If most of your throughput is > standard 1500 byte packets, you should have little to no problem. > > If someone starts blasting out 64 byte packets at wire speed though, > your link will be toast

Packets Per Second Limit?

2007-05-31 Thread askthelist
Anyone know the maximum packets per second that can traverse a 100MB internet link. From what I've been able to gather its about 8300 or so? Is this number accurate? Do connections just start to timeout once I hit this limit? I'm a little worried about this because we are fast approaching this mark

Re: ipsec vpn and intermittent session timeouts...

2007-05-25 Thread askthelist
* Add support for ESP+NULL encryption for ipsec. Useful for traversing NAT where AH can't be used. * Fixes for ipsec in IPv6. * In ipsecctl(8), allow rule if there is at least one matching address family combination. * Added better support for IPv6 hostname/numeric representation in the ipsecctl(8)

ipsec vpn and intermittent session timeouts...

2007-05-24 Thread askthelist
I cant seem to figure out why my sessions time out when I bring my site-to-site vpn up. I'm using "isakmpd -K -T"on both sides, then run ipsecctl -f /etc/ipsec.conf to bring the vpn up. My tunnel comes up fine and traffic passes on the enc0 interface and everything is great. When I look at ipsecctl

4.1 changelog discrepency? - *Make sure pf(4) doesn't set 'flags S/SA' on stateless rules.

2007-05-14 Thread askthelist
I have a stateless rule on one of my boxes which was just upgraded from 4.0to 4.1. After the upgrade there were some odd issues that were reported and after looking into them I tracked the source of the issues down to a rule that was set not to keep state in pf.conf, but was actually keeping state

BGP Convergence Time

2007-05-11 Thread askthelist
I have 2 boxes connected independantly to two providers with a sangoma T1 card. I have a crossover between the 2 routers which iBGP session is talking over and the 3rd network interface drops down into 2 switches. going to redundant firewalls running carp/pfsync. We currently use BGP in our office

Re: ipsec.conf and carp/physical interfaces

2007-05-11 Thread askthelist
ok i misinterpreted the man page, this is what i needed instead... ike esp from a.a.a.0/24 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218 ike esp from x.x.x.142 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218 ike esp from x.x.x.142 to y.y.y.218 On 5/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

Re: BGP + Multiple Providers + Redundant Firewalls

2007-05-11 Thread askthelist
henning, you mentioned you are running redundant firewalls running bgp to multiple providers. my question is are you taking incoming traffic on both links or is your bgp configured in an active failover scenario? And do you use iBgp between the firewalls to control outgoing traffic up thru both li

ipsec.conf and carp/physical interfaces

2007-05-11 Thread askthelist
When using ipsec.conf to set up the vpn on redundant firewalls with carp on the outside interface, I noticed that the session is using the ip of the physical interface and not the ip of the carp interface which the remote end is listening for. When looking in the man pages there are options for loc

Re: Redundant Firewalls, CARP + IPSEC + SASYNCD

2007-05-10 Thread askthelist
Ok after trying this again, I have no problem establishing the VPN connection and it stays up for hours. However after an undetermined amount of time(hours), connections are dropped and the SA's do not show up when looking at the ipsecctl -sa or netstat -nrf encap. Same situation happens whether or

Re: BGP + Multiple Providers + Redundant Firewalls

2007-05-07 Thread askthelist
yah theyre valid, there was a point when i first set this up i remember one of the nexthops being invalid but this hasnt been the case for sometime. cool, i think ill stick to the without ospf for now until it becomes a necessity. thanks. On 5/7/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: > >

Re: BGP + Multiple Providers + Redundant Firewalls

2007-05-07 Thread askthelist
when i do a bgpctl show fib i see the two routes, 1 thru connected provider, 1 to other router's crossover interface - which is connected then to 2nd provider, so why would i need to redistribute my routes when its already in the fib? maybe im confused but I dont think i necessarily need ospf in my

Re: BGP + Multiple Providers + Redundant Firewalls

2007-05-07 Thread askthelist
On 5/5/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-03 20:58]: > > Any recommendations on running BGP on redundant firewalls to multiple > > providers advertising the same network thru both links, and talking iBGP > > with the other firewall? >

Re: Redundant Firewalls, CARP + IPSEC + SASYNCD

2007-05-03 Thread askthelist
I mean Phase 1 of the IPSEC connection by ISAKMPD session. Hmm sounds like I'm on the right track but I definately missing something. Maybe I had some misconfigurations somewhere. I'll have to try again and see how it goes. If I still have problems I will post the configs.Thanks for the help. On

BGP + Multiple Providers + Redundant Firewalls

2007-05-03 Thread askthelist
Any recommendations on running BGP on redundant firewalls to multiple providers advertising the same network thru both links, and talking iBGP with the other firewall? Just asking because I ran into a problem with this scenario when traffic would enter 1 host, traverse the iBGP crossover link and t

Re: Redundant Firewalls, CARP + IPSEC + SASYNCD

2007-05-03 Thread askthelist
Ok that setup is similar to what I have and I do have carp interfaces on both sides of the firewall. I was able to configure sasynd but when running netstat -rnf encap was not able to see any of the flows on the slave machine, but then I realized or thought that it was because the ISAKMPD session w

Redundant Firewalls, CARP + IPSEC + SASYNCD

2007-05-02 Thread askthelist
I have a redundant firewall setup with carp interfaces on both sides of the firewall. I have a mirror of this setup in a 2nd location. Now im a little confused on how to set up the VPN. Do I use 1) the physical interfaces between the peers or 2) do I use the carp interface as the peers or 3)do I us