[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf expiring states way too fast (2 hosts using carp+pfsync)



On Wednesday 10 November 2004 20.11, Per-Olov Sjöholm wrote:
> On Wednesday 10 November 2004 19.46, you wrote:
> > On Wed, Nov 10, 2004 at 04:14:59PM +0100, Per-Olov Sj?holm wrote:
> > > >> http://marc.theaimsgroup.com/?l=openbsd-pf&m=109351242125764&w=2
> > > >>
> > > >> This has been fixed in -current, you might want to try that.
> > >
> > > Is this fixed in 3.6 release ?
> >
> > Yes.
> >
> > > Wonder as I have random disconnects when the two firewalls are up at
> > > the same time.
> >
> > Which version are you running?
>
> I use 2 HP intel servers running 3.6 with carp for lan , dmz and external
> interfaces. Plus one dedicated interface for pfsync.
>
> But it seems to be more stable now with my random disconnects ( I changed
> the lan port in the switch and the lan cable on one of the firewalls). But
> strange that the redundant firewalls passed the initial tests and have ran
> perfect for 2 days before it started to do random disconnects.... When it
> started to act strange I did not see any errors with netstat -s. And it
> worked perfect when just one firewall was started???? Didn't matter which
> one.... The random disconnects were related to tcp based session like ssh
> etc through and to the firewall from the lan. But a console login on the
> firewall and an ssh session out on the internet worked.... So I really hope
> it was the lan switch port or the cable...
>
> The reason for asking was that I use adaptive timeouts...
>
> Tnx
> /Per-Olov
Well, my random disconnect problem still persists.
The firewalls can run really perfect for a couple of days. And just like that  
we have a problem that only non web users notice (ssh, telnet users etc). 
Then we see random quick disconnects. We can even see this when going 
directly to the firewalll interface with ssh and not against the carp 
interface. It's not the switches. I have tried several differents ones and 
also against other interfaces in the firealls (xl* and fxp* interfaces).
The file:
 http://www.incedo.org/~sjoholmp/pf/real_fuckup.txt 
shows a tcpdump when it hangs when I just did a SSH from the lan to one the 
lan interface of the firewall that holds the primary carp for the lan net. 
When the problerm occurs you can see that the system is sending alot of 
packets with "P" flags. It also seems that an ssh to the lan interface of the 
backup firewall   seems to work.....
It seems like the problem goes away when I remove my "flags S/SA" from the 
rules. But the strange thing is that it had worked for days before the 
problem appeared. Rebooting the master firewall wont help. Only two things 
helps. 
Either - remove the "flags S/SA" from the rules.
Or - shut down the primary fw and just use the backup.
Could this be a bug with carp, pf or pfsync that I am not aware of yet?
(btw, I have disabled adaptive timeouts even though I use 3.6 where it should 
be fixed)
Any help very much appreciated.
Thanks in advance
Per-Olov Sjöholm

Attachment: pgp00195.pgp
Description: PGP signature