Try and get the difference between netstat -sp pfsync with a single ipv6 connection. Does it correspond with any of the packets/states discarded?
On 2010-12-17, Marco Fretz <marco.fr...@gmail.com> wrote: > Hi, > > I have a problem with ipv6 connections and firewalls with enabled > pfsync defer. IPv4 inital packets are forwarded without noticeable > delay. IPv6 inital packes are delayed by 0.5-2 seconds. > > The situation looks like this: > > 2 firewalls at main site > 2 firewalls at remote site > > firewalls are redundant with carp and pfsync. > > master firewall (site1) has a gif / ipsec tunnel to master firewall (site2) > slave firewall (site1) has gif / ipsec tunnel to slave firewall (site2) > > ospf is running over the gif tunnels and internal network. defer is > needed to use both tunnels for redundancy. working great. > > currently I just use ipv4 traffic trough the gif tunnels and also no > ospf for ipv6 is running at all. > > the firewalls are fully ipv6 enabled and office network and some > servers at site1 need ipv6 internet access. > > unfortunately this ipv6 internet traffic is affected by the "pfsync defer". > > site 1 > ~ $ netstat -sp pfsync > pfsync: > 65205 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 9261 states discarded for bad values > 1045 stale states > 347 failed state lookup/inserts > 4879875 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 0 send error > site 2 > ~ $ netstat -sp pfsync > pfsync: > 4878073 packets received (IPv4) > 0 packets received (IPv6) > 0 packets discarded for bad interface > 0 packets discarded for bad ttl > 0 packets shorter than header > 0 packets discarded for bad version > 0 packets discarded for bad HMAC > 0 packets discarded for bad action > 0 packets discarded for short packet > 464 states discarded for bad values > 2037 stale states > 21950 failed state lookup/inserts > 483946 packets sent (IPv4) > 0 packets sent (IPv6) > 0 send failed due to mbuf memory error > 0 send error > > the delay for ipv6 connections for the initial packet is gone as soon > I do a "ifconfig pfsync0 -defer". > > any ideas? > > thanks in advance for any hints on this. > > greets > marco
