[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: no new states and high rate of searches



Hi Dave,
>    I've got two firewalls in a CARP/pfsync configuration running a
> 3.5-snapshot from July.
I'm seeing the same symptoms as you on this, presently running -current
as of a few days back, but first noticed the problem with a mid-July
snapshot - which is what I was current when I got pfsync working with my
adaptive timeouts fix.  Generally for me though, if it is going to
happen, it happens immediately after a restart of the primary firewall,
after the bulk updates complete, and around the time that the machine
becomes the CARP master.  Were you seeing the problem with 3.5-stable?
In case it is significant, my machines have Intel Gigabit (em) NICs in
them.
>    I had a firewall on another machine with the exact same ruleset and
> no problems.
.. but without CARP/pfsync on that machine?  If so, same here again.
>    If I reboot the firewall, the problem clears up.  The other strange
> thing is the my carp backup machine has the exact same symptoms!
By this do you mean that while your primary machine is displaying these
symptoms you can't ping localhost on the backup machine, and as soon as
you reboot the primary machine the backup machine can ping localhost
again?  I haven't noticed this behaviour locally, but I also haven't
been testing for it - will do though the next time I restart my primary
and the behaviour recurs.
>    Here's what is looks like when it is hosed:
> State Table                          Total             Rate
>    current entries                       11
>    searches                         2253992         6956.8/s
>    inserts                             1301            4.0/s
>    removals                            1290            4.0/s
> The rates are the things that look crazy to me.   Otherwise, the
> machine seems perfectly happy.  Lots of memory, zero cpu load.
In my environment 7000 searches per second isn't very high, so I haven't
paid any attention to the rate of searches.  (These numbers seem
inflated right after a bulk sync, anyway).  In my case if I do a
pfctl -vvsr I thought I saw lots of increases of the evaluations
counters for rules but few match counters that I expected to go up were
doing so - do you see the same?
Regards
Chris