On 26-10-2011 20:32, Maxim Bourmistrov wrote: > The side question, after observing 'systat -s1 states', is WHY "failover"-side > doubles exp. time?? > I'm more expected to have it like a "copy" of the current state of the > master.
Yes, the number of states should be roughly in sync on both firewalls. I'd keep pf.conf in sync too (including all settings). Is the backup firewall really idle on all interfaces? Does it happen without the pfsync mtu changes too? What does "netstat -s -p pfsync" say? What do you see if you capture "pfctl -ss | sort" on both firewalls (at the same time) and diff the outputs?
