192.168.20.2 <- w2k srv
192.168.20.3 <- w2k srv
192.168.20.7 <- w2k srv
192.168.20.8 <- w2k srv
192.168.20.9 <- w2k srv
192.168.20.10 <- another freebsd box
192.168.20.210 <- the firewall
23:58:43.356569 arp who-has 192.168.20.99 tell 192.168.20.8
23:58:46.471284 arp who-has 192.168.20.127 tell 192.168.20.3
23:58:46.472257 arp who-has 192.168.20.127 tell 192.168.20.8
23:59:04.543497 arp who-has 192.168.20.2 tell 192.168.20.3
23:59:10.352106 arp who-has 192.168.20.7 tell 192.168.20.200
23:59:15.827551 arp who-has 192.168.20.251 tell 192.168.20.7
23:59:17.082626 arp who-has 192.168.20.201 tell 192.168.20.8
23:59:20.245406 arp who-has 192.168.20.201 tell 192.168.20.112
23:59:22.723713 arp who-has 192.168.20.104 tell 192.168.20.3
23:59:26.517132 arp who-has 192.168.20.6 tell 192.168.20.8
23:59:28.824120 arp who-has 192.168.20.7 tell 192.168.20.99
23:59:29.801078 arp who-has 192.168.20.6 tell 192.168.20.7
23:59:48.762973 arp who-has 192.168.20.165 tell 192.168.20.8
23:59:55.203905 arp who-has 192.168.20.75 tell 192.168.20.3
23:59:55.688710 arp who-has 192.168.20.114 tell 192.168.20.8
23:59:55.861042 arp who-has 192.168.20.77 tell 192.168.20.8
00:00:00.192659 arp who-has 192.168.20.106 tell 192.168.20.201
00:00:04.337994 arp who-has 192.168.20.10 tell 192.168.20.8
00:00:04.538035 arp who-has 192.168.20.10 tell 192.168.20.2
00:00:04.775959 arp who-has 192.168.20.10 tell 192.168.20.3
00:00:05.022385 arp who-has 192.168.20.10 tell 192.168.20.9
00:00:05.066194 arp who-has 192.168.20.10 tell 192.168.20.7
00:00:05.209935 arp who-has 192.168.20.10 tell 192.168.20.6
00:00:20.085908 arp who-has 192.168.20.9 tell 192.168.20.3
00:00:20.116177 arp who-has 192.168.20.9 tell 192.168.20.8
00:00:22.235535 arp who-has 192.168.20.101 tell 192.168.20.8
00:00:22.236614 arp who-has 192.168.20.101 tell 192.168.20.3
00:00:23.118443 arp who-has 192.168.20.54 tell 192.168.20.3
00:00:25.075679 arp who-has 192.168.20.7 tell 192.168.20.201
00:00:29.815522 arp who-has 192.168.20.166 tell 192.168.20.7
00:00:30.587208 arp who-has 192.168.20.157 (2f:69:70:63:68:65) tell 192.168.20.201
00:00:31.810270 arp who-has 192.168.20.166 tell 192.168.20.7
00:00:45.473558 arp who-has 192.168.20.177 tell 192.168.20.201
From: "."@babolo.ru
To: Vincent Goupil <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Slow network response with FreeBSD 4.6.2 and ipfilter
Date: Wed, 20 Nov 2002 06:10:40 +0300 (MSK)
MIME-Version: 1.0
Received: from aaz.links.ru ([193.125.152.37]) by mc6-f36.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 19 Nov 2002 19:08:36 -0800
Received: from aaz.links.ru (aaz.links.ru [193.125.152.37])by aaz.links.ru (8.12.6/8.12.6) with ESMTP id gAK3AfDh006526;Wed, 20 Nov 2002 06:10:41 +0300 (MSK)(envelope-from [EMAIL PROTECTED])
Received: (from babolo@localhost)by aaz.links.ru (8.12.6/8.12.6/Submit) id gAK3AeSv006525;Wed, 20 Nov 2002 06:10:40 +0300 (MSK)
Message-Id: <[EMAIL PROTECTED]>
X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1
In-Reply-To: <[EMAIL PROTECTED]>
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 20 Nov 2002 03:08:36.0969 (UTC) FILETIME=[1E422D90:01C29042]
> I have a system running FreeBSD 4.6.2-RELEASE-p5 #0 with ipfilter v3.4.27.
> This system act as a firewall for an enterprise. They need high
> availability. I have 5 network card, all 3C905 (3*3c905B-TX and 2*905C-TX).
> I made this setup in july and it run fine until 3 weeks ago. The first
> and second card are for the internet link (primary and backup). The third
> is for DMZ and the fourth is for local network. The fifth is unused (marked
> as down). Each card as is own IRQ (except the fifth that is shared with the
> first). The high availability is provided by the two internet link, if one
> goes down, the second take the load (change default route, ipf rules, ipnat
> rules and DNS records). This is done by a script running by cron. We can
> also do that manually. We have two /29 network for the first link and one
> /28 network for the second (we use alias on internet interfaces). There is
> only 3 services that run on the firewall: SSH (but only accessible from 3
> subnets), ftpproxy (jftpgw 0.13.1) and snmp (only accessible by one subnet)
>
> We begin to have problem 3 weeks ago. The firewall begin to have a slow
> response. I begin to have this arp message error (many times):
> arplookup 255.255.255.0 failed: host is not on local network
> arpresolve: can't allocate llinfo for 255.255.255.0rt
> We reboot the server and the network fast as earlier. I finally find
> something: when we use alias, we need to have at least one regular netmask
> (instead of 255.255.255.255) for each network/subnetwork. My error was on
> the first link, my second sub-network was not configured properly. I
> changed it and it stop to have these errors about arp but the problem wasn't
> resolved. The network continue to be slow until we reboot the server. This
> happen during the day. Now, it happen everytime.
>
> What I've done:
> - I changed the netmask (as said earlier)
> - I upgraded from 4.6-RELEASE #0 to 4.6.2-RELEASE-p5 #0.
> - I look for IRQ conflict
> - I configure all interface with media and mediaopt. They not using
> autodetect anymore.
> - I chkrootkit and nothing found
>
> What I suspect:
> - I read in a forum that the driver (xl) of 3C905 is not the best for
> FreeBSD. I don't know if this apply to 4.6.2.
> - Ethernet cables (I need to change it)
> - We run SSL (with a lot of users) in one of our web servers in the dmz. As
> I know, SSL run on top of TCP, it should not be a problem.
> - When i run ifpromisc (in chkrootkit), it tell me that "xl0 is not promisc"
> and "xl1 is not promisc". I have 5 interfaces, what about the others ?
>
> Can someone have an idea ?
What you mean when say "Slow network response"?
If that mean that packets trawel long
from some host to host under question
as reported by tcpdump, does ifconfig xlN down
and then ifconfig xlN up repare situation
for some time?
What tcpdump -npi xlN ether broadcast and not ip
say when slowdown hapens?
--
@BABOLO http://links.ru/
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
