Hi list, I have faced an interesting problem in active-failover setup for two OpenBSD firewalls with CARP. I'm not sure if this is my fault or if there is something else I just miss.
Two 5.0-current in active-failover setup share the same pf.conf. Both are setup with CARP ext/int. pf.conf is setup according to the official documentation, eg. guide on the web. The problem: steady growing number of states on the "failover" side. With the default settings (states limit 10000) I'm faced with the "failover" side just refusing to accept any new states. According to the man page it should zero all states at 120% of states limit, yet I don't see it - max. 5 states are discarded thus I'm able to "ssh in", but they are NOT zeroed and flushed. Then I check out number of fails, etc. I see 40k, eg. far beyond the tiem then it is time to zero and flush states(120%). Thus I have increased the limit of states to 50k and defined adaptive.start/adaptive.end to create states with lower exp.time. Yet, number of states are growing on the "failover" side. On the running master it is 6k, while on the failover it is 20k, eg. a bit over double of states. Setting constraint values for start/end adaptive flushes legit states. Sure, they cat be re-created(master re-populates the "failover"-side) but this takes time and in case of real failover they are just not there. The side question, after observing 'systat -s1 states', is WHY "failover"-side doubles exp. time?? I'm more expected to have it like a "copy" of the current state of the master. The question is do I miss something or are there ppl to point me to the right direction to solve this? //maxim
