did you ever get any enlightenment on this? if so i could use some
enlightenment as well. maybe the developers would be so kind and can chime
in on this one as well? thanks.
On Mon, Aug 4, 2008 at 9:58 PM, Insan Praja SW insan.pr...@gmail.comwrote:
Dear misc@,
After repeatedly got the
Heres a dmesg and ifconfig from backup and master firewalls...
*BACKUP FIREWALL *
# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
OpenBSD 4.3 --release
On our backup firewall:
Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 up
Jan 30 17:55:47 lynn ospfd[3389]: interface carp0 down
This is corresponding with an event on our ACTIVE host which is problematic
to our VPN traffic
Jan 30 17:55:47 susan sasyncd[31016]: net_ctl:
anyone know why this situation would come up in sasyncd and/or help me
pinpoint the root cause? seems to correspond with a hiccup in traffic
flowing through the vpn. it corrects itself after a few minutes but it has
occurred on multiple occasions about the same time of day. Non-VPN traffic
still
On Fri, Sep 19, 2008 at 1:53 AM, Stuart Henderson [EMAIL PROTECTED]wrote:
On 2008-09-18, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
2008/9/18 Cezary Morga [EMAIL PROTECTED]
Dnia czwartek, 18 wrze6nia 2008, napisa3e6:
I understand the concept of an 8 bit integer. What I meant by
2008/9/18 Cezary Morga [EMAIL PROTECTED]
Dnia czwartek, 18 wrze6nia 2008 04:41, napisa3e6:
what is the range of the advbase?
advskew is 0-255 but vhid's are 1-255 and the man page just states
advbase
is an 8-bit number with a default of 1, so its a bit ambiguous.
There's nothing
2008/9/18 Cezary Morga [EMAIL PROTECTED]
Dnia czwartek, 18 wrze6nia 2008, napisa3e6:
I understand the concept of an 8 bit integer. What I meant by
ambiguous is the acceptable ranges that are being used, assuming
vhid's are an 8-bit integer as well, although thats not explicitly
stated it
what is the range of the advbase?
advskew is 0-255 but vhid's are 1-255 and the man page just states advbase
is an 8-bit number with a default of 1, so its a bit ambiguous.
I havent been able to set advbase to 0 so I am assuming its 1-255, however I
have seen posts of people configuring the
On Mon, Sep 8, 2008 at 2:11 PM, Henning Brauer [EMAIL PROTECTED] wrote:
phew.
didnt mean to scare you with a false alarm... just thought that line was
funny when i came across it...
session staying in Active is not an error. it waits for the connection
from the other side.
it seems to
On Mon, Sep 8, 2008 at 4:26 PM, Henning Brauer [EMAIL PROTECTED]wrote:
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2008-09-09 00:35]:
On Mon, Sep 8, 2008 at 2:11 PM, Henning Brauer [EMAIL PROTECTED]
wrote:
phew.
didnt mean to scare you with a false alarm... just thought that line was
funny
When I failover two openbsd 4.3 firewalls running bgp with the depend on
carp directive, there are certain times where the bgp state seems to get
stuck in an Active state and stays in that state in what seems an indefinate
amount of time, although I have only waited up to about 5 minutes in one
Unfortunately I was sidelined with other projects and have not had a chance
to resolve this issue I described in this post. Now I should have some time
to get this resolved and I have some ideas on how I can resolve this, but I
need some advice on if its the best method or if there is a more
A long running bgp session died with the following error... there was plenty
of free memory available on the box. over 1 gig free. Anyone know why this
condition occurs and how I can avoid this in the future? Thanks.
May 4 18:13:38 ashley bgpd[5614]: fatal in RDE: up_generate_attr: Cannot
On Fri, Feb 22, 2008 at 5:50 PM, Stuart Henderson [EMAIL PROTECTED]
wrote:
On 2008-02-23, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I noticed that the two firewalls do not forward there
iBGP
learned routes to one another. Is this intended/expected behavior?
Yes, you
I'm trying to implement full dynamic routing with eBGP + Full Mesh iBGP +
OSPF in my current network and am having some issues. I have a 2 routers + 2
firewall setup with no default routes on any nodes. The 2 routers are
plugged into the upstream provider and are both receiving full routes in
Heres a watered down and cleansed version of my pf.conf and a relevant
packet capture. pf.conf file is the same on both boxes. Traffic originated
externally(10.0.0.5) hitting the webserver (192.168.0.100) will be broadcast
by the switch, hit the secondary firewalls internal interface, and should
I'm having an issue, maybe someone has seen before or can help me with.
Scenario:
I have 2 firewall boxes with carp on the outer and inner interfaces of our
network and pfsync running between them. On the inner side of the firewalls
they drop into 2 cisco 3750G switches that are stacked using
Hmm just noticed net.inet.ip.ifq.drops was skyrocketing. I suppose I'll
start there.
On Dec 22, 2007 4:59 PM, [EMAIL PROTECTED] wrote:
I'm having an issue, maybe someone has seen before or can help me with.
Scenario:
I have 2 firewall boxes with carp on the outer and inner interfaces of our
I'm having a similar issue as to whats described here.
In my situation I have a table with about 200 entries. Im attempting to
update that table and add about 200 more entries. I've included network
blocks this time with the biggest being a /18. I update my
/etc/blackhole.abuse file, then I run
Anyone know the maximum packets per second that can traverse a 100MB
internet link. From what I've been able to gather its about 8300 or so? Is
this number accurate? Do connections just start to timeout once I hit this
limit? I'm a little worried about this because we are fast approaching this
On 5/31/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Depends on the byte size of the packet. If most of your throughput is
standard 1500 byte packets, you should have little to no problem.
If someone starts blasting out 64 byte packets at wire speed though,
your link will be toast long
ok i feel better now and i think i got a better handle on this then before.
its a fast box with plenty of memory, intel pro gig eth cards (em), about
350k in the state table at the moment, with fairly small ruleset,
intelligenty would probably be up for debate! I would like to think so.
Thanks.
* Add support for ESP+NULL encryption for ipsec. Useful for traversing NAT
where AH can't be used.
* Fixes for ipsec in IPv6.
* In ipsecctl(8), allow rule if there is at least one matching address
family combination.
* Added better support for IPv6 hostname/numeric representation in the
I cant seem to figure out why my sessions time out when I bring my
site-to-site vpn up. I'm using isakmpd -K -Ton both sides, then run
ipsecctl -f /etc/ipsec.conf to bring the vpn up. My tunnel comes up fine and
traffic passes on the enc0 interface and everything is great. When I look at
ipsecctl
I have a stateless rule on one of my boxes which was just upgraded from 4.0to
4.1. After the upgrade there were some odd issues that were reported and
after looking into them I tracked the source of the issues down to a rule
that was set not to keep state in pf.conf, but was actually keeping state
When using ipsec.conf to set up the vpn on redundant firewalls with carp on
the outside interface, I noticed that the session is using the ip of the
physical interface and not the ip of the carp interface which the remote end
is listening for. When looking in the man pages there are options for
henning,
you mentioned you are running redundant firewalls running bgp to multiple
providers. my question is are you taking incoming traffic on both links or
is your bgp configured in an active failover scenario? And do you use iBgp
between the firewalls to control outgoing traffic up thru both
ok i misinterpreted the man page, this is what i needed instead...
ike esp from a.a.a.0/24 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218
ike esp from x.x.x.142 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218
ike esp from x.x.x.142 to y.y.y.218
On 5/11/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I have 2 boxes connected independantly to two providers with a sangoma T1
card. I have a crossover between the 2 routers which iBGP session is talking
over and the 3rd network interface drops down into 2 switches. going to
redundant firewalls running carp/pfsync.
We currently use BGP in our
Ok after trying this again, I have no problem establishing the VPN
connection and it stays up for hours. However after an undetermined amount
of time(hours), connections are dropped and the SA's do not show up when
looking at the ipsecctl -sa or netstat -nrf encap. Same situation happens
whether
On 5/5/07, Henning Brauer [EMAIL PROTECTED] wrote:
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2007-05-03 20:58]:
Any recommendations on running BGP on redundant firewalls to multiple
providers advertising the same network thru both links, and talking iBGP
with the other firewall?
that is
when i do a bgpctl show fib i see the two routes, 1 thru connected provider,
1 to other router's crossover interface - which is connected then to 2nd
provider, so why would i need to redistribute my routes when its already in
the fib? maybe im confused but I dont think i necessarily need ospf in
yah theyre valid, there was a point when i first set this up i remember one
of the nexthops being invalid but this hasnt been the case for sometime.
cool, i think ill stick to the without ospf for now until it becomes a
necessity. thanks.
On 5/7/07, Stuart Henderson [EMAIL PROTECTED] wrote:
On
Ok that setup is similar to what I have and I do have carp interfaces on
both sides of the firewall. I was able to configure sasynd but when running
netstat -rnf encap was not able to see any of the flows on the slave
machine, but then I realized or thought that it was because the ISAKMPD
session
Any recommendations on running BGP on redundant firewalls to multiple
providers advertising the same network thru both links, and talking iBGP
with the other firewall? Just asking because I ran into a problem with this
scenario when traffic would enter 1 host, traverse the iBGP crossover link
and
I mean Phase 1 of the IPSEC connection by ISAKMPD session. Hmm sounds like
I'm on the right track but I definately missing something. Maybe I had some
misconfigurations somewhere. I'll have to try again and see how it goes. If
I still have problems I will post the configs.Thanks for the help.
On
I have a redundant firewall setup with carp interfaces on both sides of the
firewall. I have a mirror of this setup in a 2nd location. Now im a little
confused on how to set up the VPN. Do I use 1) the physical interfaces
between the peers or 2) do I use the carp interface as the peers or 3)do I
37 matches
Mail list logo
