On 9/5/07, Rian Shelley <[EMAIL PROTECTED]> wrote: > As far as I can tell, am having the same problem described by bill > marquette. I have two firewalls using pfsync, where the secondary > firewall just increases its state count steadily. > > I created a simple libpcap program to watch the pfsync headers flowing > by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ, > PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which > are the ones that delete state. As far as i can tell, states are > pumped across the link, but never removed and are left to time out on > their own.
I'll have to run our scripts again, but I'm pretty sure we were seeing state deletions. But we certainly were not seeing 1 for 1 insert/deletion messages (one of our clusters frontends the web servers so we have LOTS of short lived states). > I'd like to add myself as another datapoint for this problem. > Currently I am getting about 15k send errors per second, and im up to > 1.8 million states on the secondary firewall :D Nice. How much RAM is that eating? I'm happy to hear that FreeBSD seems to be able to handle a state count this high. What's the state limit in your config? --Bill _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
