On Fri, 10 Oct 2014 21:28:25 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote:
Hi Stuart Many thanks for the input, i do have access to the servers too. > I was going to suggest that you might have asymmetric routing causing > "split states" i.e. one firewall seeing inbound packets, one seeing > outbound, in which case "ifconfig pfsync0 defer" might help, but > (assuming you weren't just seeing issues from connections which > had been setup before disabling one firewall) the above test would > seem to rule that out .. I think we had less connection drops with only one firewall, but they didn't disappear. Pfsync is configured to use unicast, the defer option is present: # cat /etc/hostname.pfsync0 up syncif vlan123 defer syncpeer xx.xx.xx.xx You are correct, the routing can be asymmetric in our case. > What does the output of "sysctl kern.netlivelocks net.inet.ip.ifq" > look like? net.inet.ip.ifq.maxlen was set to 256 i've changed it to 768. I'll look if the values in net.inet.ip.ifq.drops change. Kind regards, Daniel
