pfsync defer, ipv6 delay problem

Fri, 17 Dec 2010 02:10:22 -0800 

Hi,

I have a problem with ipv6 connections and firewalls with enabled
pfsync defer. IPv4 inital packets are forwarded without noticeable
delay. IPv6 inital packes are delayed by 0.5-2 seconds.

The situation looks like this:

2 firewalls at main site
2 firewalls at remote site

firewalls are redundant with carp and pfsync.

master firewall (site1) has a gif / ipsec tunnel to master firewall (site2)
slave firewall (site1) has gif / ipsec tunnel to slave firewall (site2)

ospf is running over the gif tunnels and internal network. defer is
needed to use both tunnels for redundancy. working great.

currently I just use ipv4 traffic trough the gif tunnels and also no
ospf for ipv6 is running at all.

the firewalls are fully ipv6 enabled and office network and some
servers at site1 need ipv6 internet access.

unfortunately this ipv6 internet traffic is affected by the "pfsync defer".

site 1
~ $ netstat -sp pfsync
pfsync:
        65205 packets received (IPv4)
        0 packets received (IPv6)
                0 packets discarded for bad interface
                0 packets discarded for bad ttl
                0 packets shorter than header
                0 packets discarded for bad version
                0 packets discarded for bad HMAC
                0 packets discarded for bad action
                0 packets discarded for short packet
                9261 states discarded for bad values
                1045 stale states
                347 failed state lookup/inserts
        4879875 packets sent (IPv4)
        0 packets sent (IPv6)
                0 send failed due to mbuf memory error
                0 send error
site 2
~ $  netstat -sp pfsync
pfsync:
        4878073 packets received (IPv4)
        0 packets received (IPv6)
                0 packets discarded for bad interface
                0 packets discarded for bad ttl
                0 packets shorter than header
                0 packets discarded for bad version
                0 packets discarded for bad HMAC
                0 packets discarded for bad action
                0 packets discarded for short packet
                464 states discarded for bad values
                2037 stale states
                21950 failed state lookup/inserts
        483946 packets sent (IPv4)
        0 packets sent (IPv6)
                0 send failed due to mbuf memory error
                0 send error

the delay for ipv6 connections for the initial packet is gone as soon
I do a "ifconfig pfsync0 -defer".

any ideas?

thanks in advance for any hints on this.

greets
marco

Reply via email to