5 files changed, 45 insertions, 1 deletions

diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index a65a378..d6f7a2a 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -23,6 +23,17 @@ Sync {
 		# takeover process is completed.
 		#
 		CommitTimeout 180
+
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command resets the timers of the conntracks that
+		# live in the kernel to this new value. This is useful
+		# to purge the connection tracking table of zombie entries
+		# and avoid clashes with old entries if you trigger 
+		# several consecutive hand-overs.
+		#
+		PurgeTimeout 15
 	}
 
 	#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 6fec9a1..8f4d952 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -16,6 +16,17 @@ Sync {
 		#
 		CommitTimeout 180
 
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command resets the timers of the conntracks that
+		# live in the kernel to this new value. This is useful
+		# to purge the connection tracking table of zombie entries
+		# and avoid clashes with old entries if you trigger 
+		# several consecutive hand-overs.
+		#
+		PurgeTimeout 15
+
 		# Set Acknowledgement window size
 		ACKWindowSize 20
 	}
diff --git a/doc/sync/keepalived.conf b/doc/sync/keepalived.conf
index c9c8ac1..84f1383 100644
--- a/doc/sync/keepalived.conf
+++ b/doc/sync/keepalived.conf
@@ -9,6 +9,7 @@ vrrp_sync_group G1 {   # must be before vrrp_instance declaration
   }
   notify_master "/etc/conntrackd/primary-backup.sh primary"
   notify_backup "/etc/conntrackd/primary-backup.sh backup"
+  notify_fault "/etc/conntrackd/primary-backup.sh fault"
 }
 
 vrrp_instance VI_1 {
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index d54934a..3ce1fa0 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -9,6 +9,17 @@ Sync {
 		# takeover process is completed.
 		#
 		CommitTimeout 180
+
+		#
+		# If the firewall replica goes from primary to backup,
+		# the conntrackd -t command is invoked in the script. 
+		# This command resets the timers of the conntracks that
+		# live in the kernel to this new value. This is useful
+		# to purge the connection tracking table of zombie entries
+		# and avoid clashes with old entries if you trigger 
+		# several consecutive hand-overs.
+		#
+		PurgeTimeout 15
 	}
 
 	#
diff --git a/doc/sync/primary-backup.sh b/doc/sync/primary-backup.sh
index 27fb1c3..e5331e3 100755
--- a/doc/sync/primary-backup.sh
+++ b/doc/sync/primary-backup.sh
@@ -95,9 +95,19 @@ case "$1" in
     	logger "ERROR: failed to invoke conntrackd -n"
     fi
     ;;
+  fault)
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+    ;;
   *)
     logger "ERROR: unknown state transition"
-    echo "Usage: primary-backup.sh {primary|backup}"
+    echo "Usage: primary-backup.sh {primary|backup|fault}"
     exit 1
     ;;
 esac