On Wed, Oct 08, 2008 at 04:03:14PM -0700, Mike Sweetser - Adhost wrote:
> rdr on ! $vlanX_if proto { udp tcp } from any to $web_183_ext port { 80
> 443 } -> <web_183_roundrobin> round-robin sticky-address
>
> It's working - too well. We're noticing that it's round-robining not
> only based on the IP address, but the port as well - connections from
> the same machine to ports 80 and 443 are hitting different servers:
[snip]
> Is there any way to set this so that a given client IP will hit the same
> server in the pool, regardless of port?
This rdr rule is actually expanded by the parser into two separate
rules, so the round-robin is handled differently by the two.
Use 'keep state (source-track global)' on the inbound filter rule that passes
this traffic, and you should see the same mappings being used for all
connections.
> In addition, we're noticing that states seem to expire pretty quickly -
> sometimes in less than a minute. We're currently using "set
> optimization normal" - will changing this to conservative help matters?
> Is there a way to modify the state timeouts on a more granular level?
Normally TCP connections in the ESTABLISHED state will remain around for
24 hours after the most recent packet. If your states are being torn
down in less than a minute, it's because the 3-way handshake is not
completing, either one of the endpoints are terminating the connection,
or you're reaching the state limit and adaptive timeouts are kicking in.
Have you changed the state limit, or the adaptive.start and adaptive.end
timeouts from the defaults?
-Ryan
