Hello,
I'm testing an OpenBSD 4.2 firewall with Iperf and I'm experiencing a very

strange behaviour.

What happens is that when I reboot the backup node the connection rate drops

while the backup node is coming back.

Iperf log:

[  3] 233.0-234.0 sec  6.62 MBytes  55.5 Mbits/sec

[  3] 234.0-235.0 sec  6.62 MBytes  55.5 Mbits/sec

[  3] 235.0-236.0 sec  6.62 MBytes  55.5 Mbits/sec

[  3] 236.0-237.0 sec  6.70 MBytes  56.2 Mbits/sec

[  3] 237.0-238.0 sec    288 KBytes  2.36 Mbits/sec

[  3] 238.0-239.0 sec  3.40 MBytes  28.5 Mbits/sec

[  3] 239.0-240.0 sec  0.00 Bytes  0.00 bits/sec

[  3] 240.0-241.0 sec  3.55 MBytes  29.8 Mbits/sec

[  3] 241.0-242.0 sec  0.00 Bytes  0.00 bits/sec

[  3] 242.0-243.0 sec  3.49 MBytes  29.3 Mbits/sec

[  3] 243.0-244.0 sec  0.00 Bytes  0.00 bits/sec

[  3] 244.0-245.0 sec  3.49 MBytes  29.3 Mbits/sec

[  3] 245.0-246.0 sec  2.30 MBytes  19.3 Mbits/sec

[  3] 246.0-247.0 sec  5.23 MBytes  43.9 Mbits/sec

[  3] 247.0-248.0 sec  2.60 MBytes  21.8 Mbits/sec

[  3] 248.0-249.0 sec  5.37 MBytes  45.0 Mbits/sec

[  3] 249.0-250.0 sec  1.28 MBytes  10.7 Mbits/sec

[  3] 250.0-251.0 sec  4.69 MBytes  39.3 Mbits/sec

[  3] 251.0-252.0 sec  4.69 MBytes  39.3 Mbits/sec

[  3] 252.0-253.0 sec  6.62 MBytes  55.5 Mbits/sec

[  3] 253.0-254.0 sec  6.62 MBytes  55.5 Mbits/sec

[  3] 254.0-255.0 sec  6.62 MBytes  55.5 Mbits/sec
That drop in connection is when the rebooted node is coming back ! Iperf is

being tested from one machine behind one firewall interface and another

machine behind another firewall interface. One machine is running Openbsd

and the other Linux.

Is there any reason for this behaviour ? I do not expect the backup node to

have any influence over the flow on active node.
Related to this is a problem with pfsync. Sometimes I get a bad state after

the backup firewall comes back and then Iperf gets totally messed up,

sometimes recovering others not. No difference if psync is configured with

multicast or with syncpeer.

Log from the active node:

Apr 10 06:57:03 inferno /bsd: pfsync: received bulk update request

Apr 10 06:57:04 inferno /bsd: pfsync: bulk update complete

Apr 10 06:57:04 inferno pflogd[23092]: invalid size 484 (116/116), packet

dropped

Apr 10 06:57:11 inferno pflogd[23092]: invalid size 144 (116/116), packet

dropped

Apr 10 06:57:16 inferno last message repeated 3 times

Apr 10 06:57:31 inferno pflogd[23092]: invalid size 484 (116/116), packet

dropped

Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001

xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840

modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A

seq=2191798936 (2191798936) ack=911995449 len=1460 ackskew=0

pkts=1267241:671313 dir=in,fwd

Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1

Apr 10 06:57:31 inferno /bsd: pf: BAD state: TCP xx.xx.xx.4:5001

xx.xx.xx.4:5001 xx.xx.xx.5:43558 [lo=2191798936 high=2191798936 win=5840

modulator=0] [lo=911995449 high=912001289 win=65535 modulator=0] 4:4 A

seq=2191800396 (2191800396) ack=911995449 len=1460 ackskew=0

pkts=1267241:671313 dir=in,fwd

Apr 10 06:57:31 inferno /bsd: pf: State failure on: 1
If I destroy pfsync interface in the master node, this problem doesn't occur

(that's what I expected to happen).
Any clue of what is happening here ?
Thanks,

John