Mark Morley wrote: > Hi folks, > > Wondering if this rings any bells for anyone: > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > to 6.1-STABLE with pf, customers started reporting that occasionally > their server side scripts would fail to connect to the SQL servers > (which are still 4.11 and are attached via a separate dedicated > gigabit network). > > A test page that makes 10,000 rapid SQL connections which connected > 100% > of the time before, now will usually see anywhere from one or two > failed > connections to a dozen or so (per 10,000) > > After trying many other things first, we finally found that 'pf' seems > to be the culprit.
I've experienced the same. If you have a lot of concurrent connections going on it seems that every so often an connection will be blocked, even if it doesnt match any rule. In my case I experienced this with apache22 acting as a reverse proxy/virtual host. Symptoms: 1. Sudden burst of traffic to a specific virtual host. 2. After some time, normally <30 seconds one of the connection attempts is reset. 3. Apache immediately stops proxying for any subsequent connections and returning a 'too busy message'. The project this was related to got shelved so it hasn't bothered me again yet, but I didn't find any workaround. > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. Snap. > I've tried changing the pf rule set in different ways, with and > without > scrubbing, with and without queues, even to the point where I have a > single > rule that just allows everything. It doesn't seem to matter what the > rules > actually are, just whether or not pf is enabled. Same as me. > I recompiled the kernel with pf disabled and ipfw enabled, and it > works > fine with 100% successful connections. We have no funky compiler > options > or anything like that. > > Any thoughts? > > Mark > > -- > Mark Morley > Owner / Administrator > Islandnet.com > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > Cheers, Dom _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
