Standby unit crashing intermittently

  • Hi,

    Have a CARP cluster running two ix interfaces (with a bunch of vlans) for data and a bge interface for pfsync. All hardware offloading on the interfaces disabled in web interface. mbufs increased to 1,000,000 in web interface. Recently configured OpenVPN on them, but not really using it yet. OpenVPN-client-export package installed - no other packages installed. Nothing suspicious in loader.conf or loader.conf.local:




    The same things are in the files in the primary unit (except "legal.intel_ipw.license_ack=1" in loader.conf.local, but I'm not sure I even need that?)

    The failover unit crashes intermittently. Over the last few days it's happened a few times every day. Runs fine for maybe 20 hours, then crashes two or three times in a row. It crashed just now, and I have submitted a crash report.

    Anything I should look for in the configuration?

    Update: I forgot to mention that I have also recently configured two limiters and used them in one firewall rule involving an alias. I just read that another user also experienced crashes on the failover unit after configuring limiters.

    Oh, and the the crash report ought to be from (or 202 depending on it using CARP or not to send these reports).

  • Rebel Alliance Developer Netgate

    Limiters and pfsync will cause crashes.

  • Thank you for the quick reply. Nice to know that it is a known problem and being worked on.

    Can I achieve the following without using limiters:

    A certain group of servers must not exceed 10 mbps total bandwidth fetching data from a specific group of ranges of public IPs


  • Rebel Alliance Developer Netgate

    No, that would require limiters. If you really need limiters, you can disable pfsync. The downside is that a failover would not be seamless, states-wise. Connections would be interrupted but they could immediately reconnect.

  • Thanks. I'll disable pfsync until you have a fix out. Seems to be the lesser of two evils and only connection-oriented sessions (RDP, ssh and such) will have to be manually reconnected on a failover which is tolerable.

    Thank you for the quick assistance!