Bill The uptime on both systems is 3 days or so. The error counters on both machines for the pfsync interface is zero.
pf sync is a VLAN - it shares the same physical line as the LAN Interface which is also showing up with zero errors, as is the physical interface they are carved from. I am using em(4) interfaces, Intel chipset. I have switched to aggressive on the slave - not surprisingly the state usage has nose-dived. However, I am not sure what impact that would have on traffic to the site. I am a bit puzzled at how many states are in time-wait. I must say that I thought the theory of stateful filtering was that the state would be deleted once the firewall had seen the fin2 go past. I guess that aggressive just cleans up faster. /Peter On Saturday 27 May 2006 13:43, Bill Marquette wrote: > Just a wild ass guess at this point I'm afraid. Any chance you've got > some packet loss on the sync interface, or really really crappy nics? > It kinda sounds like the state deletion notices aren't always making > it across. The nice thing about state updates and why they're still > obviously working is that if the secondary machine sees a state update > for a state it doesn't have, it requests full info on that state and > adds it. So over the course of a tcp conversation it's going to have > multiple opportunities to add state - not so for deletions. In the > meantime on the secondary, you could try setting the state > optimization to aggressive - it might help a little, but I'd check > your error counters on the sync interfaces and see if they're > climbing. > > --Bill > > On 5/27/06, Peter Curran <[EMAIL PROTECTED]> wrote: > > Bill > > > > I identified this problem a few days ago when asking about the sizing of > > state table entries. I have now had time to study the issue over a > > longer period of time. > > > > The site I am working with is pretty busy - they typically have around > > 10,000 punters on-line during the week: The site provides price and news > > information for commodity markets. This translates to around 30-40K > > states on the master firewall. The slave is invariably showing > > significantly more states in use than the master - typically around 70K. > > The discrepancy creeps up over time so that after a week or so, when the > > master is showing 35K the slave is showing 95K (the max is set to 100K). > > > > If I reset the state table on the slave, it just starts off roughly in > > sync with the master and then builds up gradually. > > > > I am not sure what is going on here - have you seen or heard of a similar > > problem before? Is there anything I can do to analyse the system? > > > > /Peter > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
