Hi Stefan,

       Thanks for the advice. I set the pf state number to 256k. I had around 6-7k everytime I checked but it didn't solve my issue. Is there any way I can see in the logs a more detailed error?

Thank you,

 

Adrian Bucur

Senior System Administrator

NOBEL Ltd.

 

___________________

US:            +1 866 776 6235 ext 6464

RO:            +40 21 211 01 85 ext 6464

Fax:           +40 21 211 04 85

E-mail:        adrian.bucur@nobelglobe.com

IM MSN:     bucur_adrian_ciprian@hotmail.com

Web:          www.nobelglobe.com

 

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.

 



Stefan Lambrev wrote:


Adrian Bucur wrote:
    Well I thought of that in the first place but since the backends
are in the same lan with the server then I cannot see how it can be a
routing issue. The proxy server has an internal interface with an
internal ip address and external interface on which the request are
made. It is as simple as that. The firewall is pf from opnebsd and it
does the nat and redirection perfectly.     I tried the ping and nothe suspicious.     Maybe this is a more general error and it is something from pound.
 
Can you install pftop (or just use pfctl) and see how many active state have in your firewall?
If pound is serving busy site, and you use keep alive (I think pf 4.1 use them by default)
then most probably you reach the max limit of states.
I suggest increasing "set limit states" (default value is 10,000)

IF your firewall is too restrictive it can happen that you block packets that close connection,
and you will reach max limit states very very fast on loaded site.

Also if the connection between pound and backends is done using internal lan yous can
config your firewall to "set skip on $INT_IF", and keep firewalling only on external interface(s)








 
Adrian Bucur Senior System
Administrator
NOBEL Ltd.
 
___________________
US:          
+1 866 776 6235 ext 6464
RO:          
+40 21 211 01 85 ext 6464
Fax:          +40 21 211 04 85
E-mail:       adrian.bucur@nobelglobe.com
IM
MSN:    bucur_adrian_ciprian@hotmail.com
Web:        www.nobelglobe.com
 
This
e-mail and attachments, if any, may contain confidential and/or
proprietary
information. Please be advised that the unauthorized use or disclosure
of the
information is strictly prohibited. The information herein is intended
only for
use by the intended recipient(s) named above. If you have received this
transmission in error, please notify the sender immediately and
permanently
delete the e-mail and any copies, printouts or attachments thereof.
 



Michal Taborsky - Internet Mall wrote:
Adrian Bucur napsal(a):
      Sep 10 11:02:47 pound: backend
xx.xx.xx.xx:80 connect: No route to
    host   Hello Adrian,
    I seriously doubt this has anything to do with pound itself. It looks
to me you have some issues with your network. Are the pound server and
backends on the same network or is there any router between them? Do
you use any dynamic routing like OSPF or RIP? It looks like your pound
looses the route to backends for a while. Or maybe some firewall
reinitialization?
    I suggest you run ping on the pound server to the backend and look for
anything suspicpious around the time this error occurs.
--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.