Re: pfsync: failed to receive bulk update

Wed, 02 Apr 2014 10:54:07 -0700 

On 01/04/14 21:21, Kapetanakis Giannis wrote:
After updating my primary firewall to current, the pfsync initial sync does not end. 

Primary firewall is
 OpenBSD 5.5-current (GENERIC.MP) #0: Tue Apr  1 19:26:27 EEST 2014
with latest 5.5 errata applied,


secondary firewall is a bit older but I'm afraid to update cause this 
might be the only working one.

OpenBSD 5.5-beta (GENERIC.MP) #287: Fri Feb  7 11:45:09 MST 2014
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

# grep pfsync /var/log/messages

Apr  1 19:29:24 primary /bsd: carp: pfsync0 demoted group carp by 32 
to 164 (pfsync init)
Apr  1 19:29:24 primary /bsd: carp: pfsync0 demoted group pfsync by 32 
to 32 (pfsync init)
Apr  1 19:29:24 primary /bsd: carp: pfsync0 demoted group carp by 1 to 
165 (pfsync bulk start)
Apr  1 19:29:24 primary /bsd: carp: pfsync0 demoted group pfsync by 1 
to 33 (pfsync bulk start)
Apr  1 20:56:59 primary /bsd: carp: pfsync0 demoted group carp by -1 
to 32 (pfsync bulk fail)
Apr  1 20:56:59 primary /bsd: carp: pfsync0 demoted group pfsync by -1 
to 32 (pfsync bulk fail)
Apr  1 20:56:59 primary /bsd: carp: pfsync0 demoted group carp by -32 
to 0 (pfsync init)
Apr  1 20:56:59 primary /bsd: carp: pfsync0 demoted group pfsync by 
-32 to 0 (pfsync init)

Apr  1 20:56:59 primary /bsd: pfsync: failed to receive bulk update

# pfctl -si

State Table                          Total             Rate

  current entries                   111638

  searches                       552324629        87851.9/s

  inserts                          2808797          446.8/s

  removals                         2697159          429.0/s



It does get states from backup firewall since it has almost the same 
number of entries (100K)



The logs on backup firewall say:

Apr  1 19:27:17 backup /bsd: carp: pfsync0 demoted group carp by 1 to 
1 (pfsync link state down)
Apr  1 19:27:17 backup /bsd: carp: pfsync0 demoted group pfsync by 1 
to 1 (pfsync link state down)
Apr  1 19:27:27 backup /bsd: carp: pfsync0 demoted group carp by -1 to 
0 (pfsync bulk cancelled)
Apr  1 19:27:27 backup /bsd: carp: pfsync0 demoted group pfsync by -1 
to 0 (pfsync bulk cancelled)
Apr  1 19:27:45 backup /bsd: carp: pfsync0 demoted group carp by -1 to 
0 (pfsync bulk cancelled)
Apr  1 19:27:45 backup /bsd: carp: pfsync0 demoted group pfsync by -1 
to 0 (pfsync bulk cancelled)
Apr  1 19:28:55 backup /bsd: carp: pfsync0 demoted group carp by -1 to 
0 (pfsync bulk cancelled)
Apr  1 19:28:55 backup /bsd: carp: pfsync0 demoted group pfsync by -1 
to 0 (pfsync bulk cancelled)
Apr  1 19:29:24 backup /bsd: carp: pfsync0 demoted group carp by -1 to 
0 (pfsync bulk cancelled)
Apr  1 19:29:24 backup /bsd: carp: pfsync0 demoted group pfsync by -1 
to 0 (pfsync bulk cancelled)
Apr  1 19:38:36 backup /bsd: carp: pfsync0 demoted group carp by -1 to 
0 (pfsync link state up)
Apr  1 19:38:36 backup /bsd: carp: pfsync0 demoted group pfsync by -1 
to 0 (pfsync link state up)



The are connected with cross-over cable and they have set skip on that 
interface.

It has been working like this the last few years.

regards,

Giannis



Today's kernel seems ok.

G























					Reply via email to