Hi, We recently deployed OBSD4.7 boxes to do load balancing in our environment with relayd.
After few hours we encountered problem with the server going beyond 10,000 states. After much research and man pages, we setup states to a "ridiculous" number. Yes the number was 100,000. We also changed the states to expire much faster. Redeployed the box and everything was normal for few days till again we started having issues with the box. This time the states were 20,000 and again pf/relayd started having issues. The box has like 4gig of ram, multiple cores etc. By issues I mean can't ssh to box sometimes , can't get relayctl to show hosts etc. Can someone who is expert at this look at it and tell me what may be wrong here? I have couple of questions: 1. Do I need pf for relayd when I am not doing redirects? 2. How much states can i "really" have on a box that has 4 gig ram? Is it governed by how much mem is allocated to kernel? (i read it somewhere while googling). Can I change that? Here is pf.conf. Basically since the box is BEHIND a corporate firewall Juniper. We didn't really need to block anything. So pf.conf is very simple and so is the relayd.conf: I would really appreciate any help. ext_if="fxp0" web_if="fxp1" set loginterface $ext_if set optimization aggressive set skip on lo set limit { states 100000 } set timeout tcp.first 10 set timeout tcp.opening 10 set timeout tcp.established 60 set timeout tcp.closing 10 set timeout tcp.finwait 10 set timeout tcp.closed 10 pass quick on $ext_if pass quick on $mgt_if Here is the relayd.conf file: # $OpenBSD: relayd.conf,v 1.13 2008/03/03 16:58:41 reyk Exp $ # # Macros # images_vip="10.1.0.107" # # Global Options # interval 30 #timeout 180 # # Each table will be mapped to a pf table. # table <webhosts> { web01 web02 web03 web04 web05 web06 } table <fallback> { 127.0.0.1 } # # Services will be mapped to a rdr rule. # # # Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration # relay web { listen on $webip port 80 session timeout 180 forward to <webhosts> port 8080 mode roundrobin \ check tcp } thank you