top post... ok
I *think* I have tracked it down...
I had dmz4-dmz6 100% configured but no cables connected to the switch. The
carp interfaces for them were in init state as they could not talk to each
other. Although it all seemed to work as it should for all other interfaces.
This means all
Right. When preempt is set any carp interface which has a real interface
down causes all carps to use 240 for the skew. At this point I think it is
simply a race to see which interface takes MASTER. That is why I used
preempt on only one FW. This insures that, in a situation like the one
As I understand it, preempt is all or nothing. So if I have FW's configured
like,
ISP switch
/ \
| |
FW1-- DMZ --FW2 [That's one DMZ switch]
| switch |
\ /
LAN switch
If I wish FW1 to be primary and FW2 to be secondary I set advskew on FW1 to
be
I had a similar issue. I ended up using net.inet.carp.preempt=1 on the
primary firewall and net.inet.carp.preempt=0 on the secondary.
If the primary has an issue, the secondary becomes the master on all
interfaces. I must confess I haven't fully tested the configuration.
-Steve S.
[EMAIL
