You might test to pull down if_pfsync.c from -current or flush states much sooner on failover with pf.conf (adaptive.start adaptive.end)
//maxim On Nov 9, 2011, at 9:49 AM, ML mail wrote: > Hi, > > I am running OpenBSD 5.0 amd64 on two firewalls using CARP (one master > and one backup) for redundancy/fail-over purpose. Now on the backup firewall I > noticed that the states synchronised using pfsync on a dedicated NIC with a > cross-over cable are at least double as much as on the master firewall. So for > example right now there are 15k states on the master firewall and 40k on the > backup firewall. From my understanding these numbers should pretty much > correlate. > > I don't have the feeling I've been doing anything wrong neither as > I have documented myself about how configuring CARP and have been running it > successfully before using OpenBSD 4.4 (I just re-installed with OpenBSD 5.0). > Just in case here are the relevant hostname.* config files: > > # > /etc/hostname.em7 (master fw) > inet 10.10.10.1 255.255.255.0 > > # > /etc/hostname.em7 (backup fw) > inet 10.10.10.2 255.255.255.0 > > > # > /etc/hostname.pfsync0 (master fw) > up syncpeer 10.10.10.2 syndev em7 > > # > /etc/hostname.pfsync0 (backup fw) > up syncpeer 10.10.10.1 syndev em7 > > Could it > be that my cross-over cable is somehow faulty? or my config is wrong? > > Thanks > for the feedback. > > Regards, > ML
