Just a wild ass guess at this point I'm afraid. Any chance you've got some packet loss on the sync interface, or really really crappy nics? It kinda sounds like the state deletion notices aren't always making it across. The nice thing about state updates and why they're still obviously working is that if the secondary machine sees a state update for a state it doesn't have, it requests full info on that state and adds it. So over the course of a tcp conversation it's going to have multiple opportunities to add state - not so for deletions. In the meantime on the secondary, you could try setting the state optimization to aggressive - it might help a little, but I'd check your error counters on the sync interfaces and see if they're climbing.
--Bill On 5/27/06, Peter Curran <[EMAIL PROTECTED]> wrote:
Bill I identified this problem a few days ago when asking about the sizing of state table entries. I have now had time to study the issue over a longer period of time. The site I am working with is pretty busy - they typically have around 10,000 punters on-line during the week: The site provides price and news information for commodity markets. This translates to around 30-40K states on the master firewall. The slave is invariably showing significantly more states in use than the master - typically around 70K. The discrepancy creeps up over time so that after a week or so, when the master is showing 35K the slave is showing 95K (the max is set to 100K). If I reset the state table on the slave, it just starts off roughly in sync with the master and then builds up gradually. I am not sure what is going on here - have you seen or heard of a similar problem before? Is there anything I can do to analyse the system? /Peter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
