On Wed, Jun 18, 2008 at 3:05 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > What kind of active-active? There are two kind: -snip- > b) asymmetric or packet-based: typical case of OSPF setups, there is no > guarantees that the packet is handled by the same firewall replica as > OSPF may change the routes at any time. In that case, you have to enable > the CacheWriteThrough. However, from the design point of view, > conntrackd suits better in the scenario a). I'm using the asymmetric setup. Two firewalls connected with BGP to the service provider, and as you mentioned, no way of knowing which firewall handles which packet. But the funny thing is, that it's working now :) Yes, i enabled the CacheWriteThrough option, but i was testing with ICMP's. Later i learnt that ICMP is a kind of unreliable protocol because when i tested it with a simple tcp connection it worked fine. I'm still fiddling around a bit with the ip_conntrack_max sysctl setting because i tend to get dropped packets. Also `conntrackd -s` indicated that for both nodes it failed to destroy connections on internal cache. These numbers roughly match the other node's succesfully destroyed connections: node1: connections destroyed: 31473050 failed: 7334 node2: connections destroyed: 7441 failed: 31475657 Is this something i need to worry about? regards, Sebastian -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
