I did not commit the fix for this bug in pfsync yet, but very soon now.
On 9-11-2011 10:30, Maxim Bourmistrov wrote: > You might test to pull down if_pfsync.c from -current > or > flush states much sooner on failover with pf.conf (adaptive.start > adaptive.end) > > //maxim > > On Nov 9, 2011, at 9:49 AM, ML mail wrote: > >> Hi, >> >> I am running OpenBSD 5.0 amd64 on two firewalls using CARP (one master >> and one backup) for redundancy/fail-over purpose. Now on the backup firewall > I >> noticed that the states synchronised using pfsync on a dedicated NIC with a >> cross-over cable are at least double as much as on the master firewall. So > for >> example right now there are 15k states on the master firewall and 40k on > the >> backup firewall. From my understanding these numbers should pretty much >> correlate. >> >> I don't have the feeling I've been doing anything wrong neither as >> I have documented myself about how configuring CARP and have been running > it >> successfully before using OpenBSD 4.4 (I just re-installed with OpenBSD > 5.0). >> Just in case here are the relevant hostname.* config files: >> >> # >> /etc/hostname.em7 (master fw) >> inet 10.10.10.1 255.255.255.0 >> >> # >> /etc/hostname.em7 (backup fw) >> inet 10.10.10.2 255.255.255.0 >> >> >> # >> /etc/hostname.pfsync0 (master fw) >> up syncpeer 10.10.10.2 syndev em7 >> >> # >> /etc/hostname.pfsync0 (backup fw) >> up syncpeer 10.10.10.1 syndev em7 >> >> Could it >> be that my cross-over cable is somehow faulty? or my config is wrong? >> >> Thanks >> for the feedback. >> >> Regards, >> ML
