Hi Folks,
We have recently installed syweb to monitor our firewalls (we have two bridges in parallel) between two core switches and and external switch). At the moment one is unplugged fom its internal switch but is still connected to the second and both are running pfsync.
Both machines are running 3.6.
core switch1 ------ fw 1 ---------+
| |
| |
| externtal switch --- border router-----
| |
| |
core switch2 --/ -- fw 1 ---------+
So only FW1 is seeing any traffic.
The graphs for the last 24H show a large spike in cpu usage for *both* machines
from 3am to 6am. This corresponds with a large spike (to 60K/sec) in state
searches on *both* machines. But there is no increase in the number of states
being held and no obvious increase in dropped packets? Nor do the interface
stats show any increase in packet/sec or bytes/sec.
So my question is "What event causes a state search without registering on the
dropped packet count or the interface stats?"
I have attached a graph from syweb for the last week which shows two incidents
of this type.
(hmmm... well I would if the mailing list would allow me ;) I'm resending sans
attachment.
Cheers and thanks, Russell
