Our main traffic is 10Gb here so we do move a lot of data. I just changed the pfsync interface from using a direct cable leveraging 1Gb's autosense to connecting to a switch. The interesting thing is that I seem to have recovered some of my lost throughput performance since making that change. Will network speed take a performance hit if they're having trouble synchronizing state? I wouldn't have thought so since the state is created on the primary and then an update sent to the secondary, right?
On Wed, Oct 17, 2012 at 12:52 PM, Tyler Morgan <tyl...@tradetech.net> wrote: > On 10/17/2012 8:51 AM, Bennett Samowich wrote: >> >> I just had an event that I'm having trouble identifying the root cause. >> I'm hoping that someone might have encountered this or might be able to >> point me toward some things to check. >> >> Yesterday we had an event where our primary firewall would stop passing >> traffic. The only thing short of a reboot that would restore service was >> to run 'sh /etc/netstart pfsync0'. Resetting pfsync's physical interface >> or pulling that cable didn't produce results. Only resetting the pfsync0 >> virtual interface would restore service. I'm not even sure what >> information would be helpful to provide or what other questions to ask. I >> also found it odd that the two servers did not show the same number of >> state entries by a difference of anywhere from 100 to 1000s. Is this >> typical? >> >> Thanks, >> Bennett > > > States come and go so depending on the amount of traffic going through the > router, it could be off by a few hundred, or maybe even a few thousand if > you do a lot of traffic. > > I just counted the states (at the exact same time, several times) on some > primary/backup CARP routers using pfsync that push a constant 10-20mbit to > several thousand web clients at any given moment, and the states were within > about 150 of each other consistently. I would say being off by 1000s is > indicative of a problem, but if you push a lot of traffic, it might not be. > > Anyway, you need to post: a full ifconfig, dmesg, and look through > /var/log/messages for anything interesting from CARP or pfsync to get > started. > > Also put your pfsync cabling through a cable tester just to double check it. > I've had a bad pfsync interface cable cause weird problems before. Any > errors on the interface? netstat -in will tell you about errors, not > ifconfig it seems.
