Res: Dropped Packets

Thread: Res: Dropped Packets

Search this list only Search all lists
Res: Dropped Packets
Brazil	2008-03-07 10:39:32
I DON'T THINK THAT IS A HARDWARE PROBLEM, SOMETIMES THE "CONGESTION RATE" INCREASE TO 1500,0/S AND THE "STATE-MISMATCH" TO 300.0/S.. I DON'T KNOW IF IT IS NORMAL... I THINK THAT THE CONECTIONS IS BEING DROPED WHEN INCREASE A LOT THE NUMBER OF PACKETS ON THE NETWORK. CAN YOU TELL ME ABOUT YOUR FIREWALL ? I WILL NEED TO INSTALL A BIGGEST ONE HERE, AND I'M A LITTLE AFRAID TO DO. CAN YOU SHOW ME SOME CONFIGURATION? THE TRAFFIC OF YOU NETWORK?, HARDWARE? CONECTIONS ? LOOK SOME CONFIGURATIONS.... DO I NEED TO INCREASE SOMETHING ? # PFCTL -SM STATES HARD LIMIT 100000 SRC-NODES HARD LIMIT 10000 FRAGS HARD LIMIT 5000 TABLES HARD LIMIT 1000 TABLE-ENTRIES HARD LIMIT 200000 # TOP LOAD AVERAGES: 0.20, 0.12, 0.09 13:29:40 35 PROCESSES: 34 IDLE, 1 ON PROCESSOR CPU0 STATES: 0.6% USER, 0.0% NICE, 0.7% SYSTEM, 0.0% INTERRUPT, 98.7% IDLE CPU1 STATES: 0.1% USER, 0.0% NICE, 0.2% SYSTEM, 0.0% INTERRUPT, 99.7% IDLE # VMSTAT -I INTERRUPT TOTAL RATE IRQ0/CLOCK 257506609 199 IRQ0/IPI 183393879 142 IRQ81/EM0 8638587188 6706 IRQ83/SKC0 6011660768 4667 IRQ80/FXP0 2292732543 1779 IRQ64/AHC0 7012560 5 IRQ112/PCKBC0 8 0 TOTAL 17390893555 13501 # PFCTL -SI STATE TABLE TOTAL RATE CURRENT ENTRIES 5005 SEARCHES 30026832082 441000.4/S INSERTS 406964726 5977.0/S REMOVALS 406959721 5977.0/S COUNTERS MATCH 417436387 6130.8/S BAD-OFFSET 0 0.0/S FRAGMENT 1939 0.0/S SHORT 154 0.0/S NORMALIZE 34858 0.5/S MEMORY 0 0.0/S BAD-TIMESTAMP 0 0.0/S CONGESTION 834349 12.3/S IP-OPTION 24 0.0/S PROTO-CKSUM 5572 0.1/S STATE-MISMATCH 491286 7.2/S PROVéRBIOS 1:27 MAS DEUS ESCOLHEU AS COISAS LOUCAS DESTE MUNDO PARA CONFUNDIR AS SáBIAS; E DEUS ESCOLHEU AS COISAS FRACAS DESTE MUNDO PARA CONFUNDIR AS FORTES; ----- MENSAGEM ORIGINAL ---- DE: CHRIS MARLATT <CMARLATTRXSEC.COM> PARA: LORENZ HELLEIS <LORENZHELLEISYAHOO.COM.BR> CC: FREEBSD-PFFREEBSD.ORG ENVIADAS: SEXTA-FEIRA, 7 DE MARçO DE 2008 12:26:03 ASSUNTO: RE: DROPPED PACKETS LORENZ HELLEIS WROTE: > HELLO. > > I HAVE A FIREWALL WITH 75.000 SIMULTANEOUS CONECTIONS, AND I SET THE LIMIT TO 100.000. > > I THINK THE HARDWARE IS OK, BUT WHEN INCREASE THE TRAFFIC ON THE NETWORK, SOME CONNECTIONS IS DROPPED. I DID NOT INCREASE OTHER VALUE, LIKE TABLE, SRC-NODES.... HOW DO I KNOW IF IS EVERTHING OK WITH THE OTHER VALUES ? > > WHAT HAPPEN IF THE NUMBER OF CONNECTIONS TOUCH THE LIMIT OF 100.000 ? IT WILL DROP THE IDLE CONECTIONS ? OR WHAT ? > FROM MY EXPERIENCE NEW CONNECTIONS WILL APPEAR TO TIMEOUT AS PF HAS NO MORE SESSIONS AVAILABLE FOR NEW CONNECTIONS. AS SESSIONS DIE OFF ORGANICALLY NEW CONNECTIONS WILL BE PERMITTED BUT THERE IS NOTHING ACTIVELY KILLING OLD / IDLE CONNECTIONS TO MAKE WAY FOR NEW SESSIONS IF THE LIMIT IS REACHED. DEPENDING ON HOW MUCH MEMORY YOU HAVE YOU SHOULD BE FINE INCREASING THE MAX SESSION LIMIT. I'VE HAD SOME OF MY FIREWALLS OVER 1,000,000 SESSIONS WITHOUT A PROBLEM. YOU MAY WANT TO CHECK YOUR SWITCH FOR ERRORS AND WATCH YOUR INTERFACE (NETSTAT -I IFACE -ND 1) TO SEE WHEN/WHERE YOUR DROPS ARE. WHAT KIND OF CPU USAGE ARE YOU SEEING WHEN YOU START DROPPING THE PACKETS? REGARDS, CHRIS ABRA SUA CONTA NO YAHOO! MAIL, O úNICO SEM LIMITE DE ESPAçO PARA ARMAZENAMENTO! HTTP://BR.MAIL.YAHOO.COM/ _______________________________________________ FREEBSD-PFFREEBSD.ORG MAILING LIST HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-PF TO UNSUBSCRIBE, SEND ANY MAIL TO "FREEBSD-PF-UNSUBSCRIBEFREEBSD.ORG"

Re: Res: Dropped Packets
Germany	2008-03-07 11:55:52
[ PLEASE DON'T TOP-POST ] ON FRIDAY 07 MARCH 2008, LORENZ HELLEIS WROTE: > I DON'T THINK THAT IS A HARDWARE PROBLEM, SOMETIMES THE "CONGESTION > RATE" INCREASE TO 1500,0/S AND THE "STATE-MISMATCH" TO 300.0/S.. I > DON'T KNOW IF IT IS NORMAL... > > I THINK THAT THE CONECTIONS IS BEING DROPED WHEN INCREASE A LOT THE > NUMBER OF PACKETS ON THE NETWORK. > > > > CAN YOU TELL ME ABOUT YOUR FIREWALL ? I WILL NEED TO INSTALL A BIGGEST > ONE HERE, AND I'M A LITTLE AFRAID TO DO. CAN YOU SHOW ME SOME > CONFIGURATION? THE TRAFFIC OF YOU NETWORK?, HARDWARE? CONECTIONS ? > > LOOK SOME CONFIGURATIONS.... DO I NEED TO INCREASE SOMETHING ? > > > # PFCTL -SM > STATES HARD LIMIT 100000 > SRC-NODES HARD LIMIT 10000 > FRAGS HARD LIMIT 5000 > TABLES HARD LIMIT 1000 > TABLE-ENTRIES HARD LIMIT 200000 > > > # TOP > > LOAD AVERAGES: 0.20, 0.12, 0.09 > 13:29:40 35 PROCESSES: 34 IDLE, 1 ON PROCESSOR > CPU0 STATES: 0.6% USER, 0.0% NICE, 0.7% SYSTEM, 0.0% INTERRUPT, > 98.7% IDLE CPU1 STATES: 0.1% USER, 0.0% NICE, 0.2% SYSTEM, 0.0% > INTERRUPT, 99.7% IDLE > > # VMSTAT -I > > INTERRUPT TOTAL RATE > IRQ0/CLOCK 257506609 199 > IRQ0/IPI 183393879 142 > IRQ81/EM0 8638587188 6706 > IRQ83/SKC0 6011660768 4667 > IRQ80/FXP0 2292732543 1779 THESE INTERRUPT NUMBERS DON'T SEEM TO MATCH UP WITH THE ABOVE LOAD NUMBERS. I'D EXPECT A HIGHER INTERRUPT LOAD. YOU COULD ALSO TRY TO REPLACE THE SK(4) ADAPTER WITH ANOTHER EM(4) OR THE LIKE? I HAVE HAD TROUBLE WITH SK(4) IN THE PAST. > IRQ64/AHC0 7012560 5 > IRQ112/PCKBC0 8 0 > TOTAL 17390893555 13501 > > # PFCTL -SI > > STATE TABLE TOTAL RATE > CURRENT ENTRIES 5005 > SEARCHES 30026832082 441000.4/S 441KPPS ARE QUITE A LOAD! AND THIS IS WITH ONLY 5000 CONNECTIONS. WHILE FREEBSD CAN FORWARD 1MPPS AND MORE ON COMMODITY HARDWARE 500-700KPPS IS PROBABLY THE LIMIT WITH (SENSIBLE) FIREWALLING. IT'D BE SURPRISED IF YOU COULD DO SIGNIFICANTLY BETTER WITH ANYTHING ELSE. N.B. THAT THIS COULD BE IMPROVED BY USING FINE GRAINED LOCKING FOR PF - THIS IS ON MY TODO LIST FOR QUITE SOME TIME, BUT I DIDN'T YET GET TO IT. > INSERTS 406964726 5977.0/S > REMOVALS 406959721 5977.0/S > COUNTERS > MATCH 417436387 6130.8/S > BAD-OFFSET 0 0.0/S > FRAGMENT 1939 0.0/S > SHORT 154 0.0/S > NORMALIZE 34858 0.5/S > MEMORY 0 0.0/S > BAD-TIMESTAMP 0 0.0/S > CONGESTION 834349 12.3/S > IP-OPTION 24 0.0/S > PROTO-CKSUM 5572 0.1/S > STATE-MISMATCH 491286 7.2/S > > > > > > PROVéRBIOS 1:27 > > MAS DEUS ESCOLHEU AS COISAS LOUCAS DESTE MUNDO PARA CONFUNDIR AS > SáBIAS; E DEUS ESCOLHEU AS COISAS FRACAS DESTE MUNDO PARA CONFUNDIR AS > FORTES; > > ----- MENSAGEM ORIGINAL ---- > DE: CHRIS MARLATT <CMARLATTRXSEC.COM> > PARA: LORENZ HELLEIS <LORENZHELLEISYAHOO.COM.BR> > CC: FREEBSD-PFFREEBSD.ORG > ENVIADAS: SEXTA-FEIRA, 7 DE MARçO DE 2008 12:26:03 > ASSUNTO: RE: DROPPED PACKETS > > LORENZ HELLEIS WROTE: > > HELLO. > > > > I HAVE A FIREWALL WITH 75.000 SIMULTANEOUS CONECTIONS, AND I SET THE > > LIMIT TO 100.000. > > > > I THINK THE HARDWARE IS OK, BUT WHEN INCREASE THE TRAFFIC ON THE > > NETWORK, SOME CONNECTIONS IS DROPPED. I DID NOT INCREASE OTHER > > VALUE, LIKE TABLE, SRC-NODES.... HOW DO I KNOW IF IS EVERTHING OK > > WITH THE OTHER VALUES ? > > > > WHAT HAPPEN IF THE NUMBER OF CONNECTIONS TOUCH THE LIMIT OF 100.000 ? > > IT WILL DROP THE IDLE CONECTIONS ? OR WHAT ? > > FROM MY EXPERIENCE NEW CONNECTIONS WILL APPEAR TO TIMEOUT AS PF HAS NO > MORE SESSIONS AVAILABLE FOR NEW CONNECTIONS. AS SESSIONS DIE OFF > ORGANICALLY NEW CONNECTIONS WILL BE PERMITTED BUT THERE IS NOTHING > ACTIVELY KILLING OLD / IDLE CONNECTIONS TO MAKE WAY FOR NEW SESSIONS IF > THE LIMIT IS REACHED. > > > DEPENDING ON HOW MUCH MEMORY YOU HAVE YOU SHOULD BE FINE INCREASING THE > MAX SESSION LIMIT. I'VE HAD SOME OF MY FIREWALLS OVER 1,000,000 > SESSIONS WITHOUT A PROBLEM. > > YOU MAY WANT TO CHECK YOUR SWITCH FOR ERRORS AND WATCH YOUR INTERFACE > (NETSTAT -I IFACE -ND 1) TO SEE WHEN/WHERE YOUR DROPS ARE. WHAT KIND OF > CPU USAGE ARE YOU SEEING WHEN YOU START DROPPING THE PACKETS? > > REGARDS, > > CHRIS > > > > > > > ABRA SUA CONTA NO YAHOO! MAIL, O úNICO SEM LIMITE DE ESPAçO PARA > ARMAZENAMENTO! HTTP://BR.MAIL.YAHOO.COM/ > _______________________________________________ > FREEBSD-PFFREEBSD.ORG MAILING LIST > HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-PF > TO UNSUBSCRIBE, SEND ANY MAIL TO "FREEBSD-PF-UNSUBSCRIBEFREEBSD.ORG" -- /" BEST REGARDS, \| MLAIERFREEBSD.ORG / MAX LAIER \| ICQ #67774661 X HTTP://PF4FREEBSD.LOVE2PARTY.NET/ \| MLAIEREFNET / ASCII RIBBON CAMPAIGN \| AGAINST HTML MAIL AND NEWS

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )