Re: Firewall partially failing with high traffic (Updated)

2006-11-15 Thread Chris Cameron
Just building off my last message. Answering Ryans questions first: - Do you have dedicated addresses on the carp parent interfaces? For sure. - Are all the carp devices on the master firewall MASTER; what about the backup? Before and after the network dies, primary firewall is all MASTER,

Firewall partially failing with high traffic

2006-11-14 Thread Chris Cameron
I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. It has several subnets, and several NICs, but only 1 subnet becomes unavailable. Everything else continues to work. There are no errors in messages, daemon, with PF debug set to misc.

Re: Firewall partially failing with high traffic

2006-11-14 Thread Tobias Weingartner
In article [EMAIL PROTECTED], Chris Cameron wrote: I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. Chances are that you're hitting some bug in 3.8, that has likely been fixed in 3.9, or 4.0. Or the rule you're using to pass

Re: Firewall partially failing with high traffic

2006-11-14 Thread Will Maier
On Tue, Nov 14, 2006 at 09:28:47AM -0700, Chris Cameron wrote: Upgrading isn't an option. I mean it is, but as soon as I say Don't know, lets just upgrade, that's a major hit to something that was tough to get in in the first place. This will be a Firewall-1 shop again quite quickly and any

Re: Firewall partially failing with high traffic

2006-11-14 Thread Carlos A. Carnero Delgado
Hi, On 11/14/06, Chris Cameron [EMAIL PROTECTED] wrote: I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. can you post `pfctl -s info` and `pfctl -s memory`? Best regards, Carlos. -- nick grah windows just crashed again,

Re: Firewall partially failing with high traffic

2006-11-14 Thread Chris Cameron
This is while it's working. I'll repost this tonight when I'm able to hang it. Status: Enabled for 0 days 16:47:54 Debug: Urgent Interface Stats for gem0 IPv4 IPv6 Bytes In 1560279475 272 Bytes Out

Re: Firewall partially failing with high traffic

2006-11-14 Thread Joachim Schipper
On Tue, Nov 14, 2006 at 06:03:51AM -0700, Chris Cameron wrote: I have a 3.8 PF/CARP setup that I can reproducibly screw up simply by cat'ing lots of text over a telnet session. It has several subnets, and several NICs, but only 1 subnet becomes unavailable. Everything else continues to work.

Re: Firewall partially failing with high traffic

2006-11-14 Thread Ryan McBride
At 2006-11-14 13:03:51, Chris Cameron wrote: I can't (easily) give direct output from things like ifconfig or pf.conf as they're both huge and contain information I've been told we don't want to send out. Hopefully this doesn't prevent anyone from helping me out. If it's a problem with carp,