Re: carp master <-> backup problem

[Scott McEachern]

Bryan Irvine wrote:
I do believe preempt should be 1 on both servers. Let the advskew
handle which one is primary.
What do you see for output of 'netstat -s -p carp' and 'netstat -s -p pfsync'

-B

  
I tried it with both servers set to preempt=1, with the same results, 
but to double check I did it again.  The results are identical to 
everything I posted previous, except (on the secondary server):

$ sysctl net.inet.carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2

Per your request:

(on the primary:)
$  netstat -s -p carp
carp:
       226 packets received (IPv4)
       0 packets received (IPv6)
               0 packets discarded for bad interface
               0 packets discarded for wrong TTL
               0 packets shorter than header
               0 discarded for bad checksums
               0 discarded packets with a bad version
               0 discarded because packet too short
               0 discarded for bad authentication
               226 discarded for unknown vhid
               0 discarded because of a bad address list
       387 packets sent (IPv4)
       0 packets sent (IPv6)
               0 send failed due to mbuf memory error
       1 transition to master

(on the secondary:)
$  netstat -s -p carp
carp:
   335 packets received (IPv4)
   0 packets received (IPv6)
       0 packets discarded for bad interface
       0 packets discarded for wrong TTL
       0 packets shorter than header
       0 discarded for bad checksums
       0 discarded packets with a bad version
       0 discarded because packet too short
       0 discarded for bad authentication
       335 discarded for unknown vhid
       0 discarded because of a bad address list
   236 packets sent (IPv4)
   0 packets sent (IPv6)
       0 send failed due to mbuf memory error
   1 transition to master

This was done after a clean reboot (both) and my accessing the site from 
an external shell account I have (using lynx).  The secondary still 
responds first, and when it is taken offline (halt -p), the primary does 
not take over (no answer).  The primary only takes over normal duties 
when the hostname.carp0 file has been renamed on the secondary, the 
secondary has actually been rebooted and sh /etc/netstart has been run 
on the primary.  After the secondary was taken offline, and sh 
/etc/netstart run on the primary, I accessed the site again (the primary 
is then the only carp node), and did this: (from the primary)

$ netstat -s -p carp
carp:
       372 packets received (IPv4)
       0 packets received (IPv6)
               0 packets discarded for bad interface
               0 packets discarded for wrong TTL
               0 packets shorter than header
               0 discarded for bad checksums
               0 discarded packets with a bad version
               0 discarded because packet too short
               0 discarded for bad authentication
               372 discarded for unknown vhid
               0 discarded because of a bad address list
       704 packets sent (IPv4)
       0 packets sent (IPv6)
               0 send failed due to mbuf memory error
       1 transition to master

As for output regarding pfsync, all values are zero because I do not use 
pfsync.  It is a single firewall with two web servers internally, not a 
redundant firewall situation.  No changes have been made to the firewall 
at all.

I'm at my wits end for why this doesn't work.  It *must* be something 
wrong with my config, as I just don't believe it's a "bug" in carp.  
This config is practically straight out of the FAQ so I'm at a total 
loss. :(

FWIW, the pf.conf on the firewall uses these values (which normally work 
fine):
(...)
gw_ext=$ext_ip4 <-- my external IP addy for that web site, I have 5 IPs
gw_int="192.168.0.9" <-- the carp node, or when not using carp, the 
primary web server
#gw_int="192.168.0.19"  <-- for when I manually switch to the secondary 
server
gw_ports="{ 80, 443 }"
int0_if="xl0"
tcp_flags="flags S/SA modulate state"
(...)
not_private="{ \
   !0.0.0.0/8, \
   !10.0.0.0/8, \
   !127.0.0.0/8, \
   !169.254.0.0/16, \
   !172.16.0.0/12, \
   !192.8.2.0/24, \
   !192.168.0.0/16, \
   !240.0.0.0/4, \
   !255.255.255.255/32 \
}"
(...)
rdr on $ext_if proto tcp from $not_private to $gw_ext port \
       $gw_ports -> $gw_int
(...)
pass in log quick on $ext_if inet proto tcp from $not_private to $gw_int \
   port $gw_ports flags S/SA synproxy state
(...)
pass out quick on $int0_if proto tcp from $not_private to $gw_int \
   port $gw_ports $tcp_flags

The firewall config has worked fine and hasn't been changed in ages, but 
I can't help wonder if something there is screwing up carp.  Redoing and 
simplifying the fw rules (using tags) is next on my todo list, but I 
figured I'd get carp working first before changing a "known good" fw 
config and adding another change to the mix.

--

-RSM

http://www.erratic.ca