On Thu, 02 Oct 2014 10:37:19 +0100 Andy <a...@brandwatch.com> wrote: > nat1 will only preempt the nat2 after a fail-over to nat2 if the > "carp" group and the "pfsync" group have the same demotion counter. > ifconfig -g carp > ifconfig -g pfsync > > So if the failover which is happening for some "unknown reason" is > affecting the demotion counters in anyway, preemption back to nat1 > will not happen until you normalise the carp and pfsync group's > demotion counters as you say.. > > Cheers, Andy.
Hi Andy, thank you for looking into it. At the moment nat1 is master, nat2 is backup (desired situation). On both firewalls demote carp for both groups (carp and pfsync) is 0: pacija@nat1:~ $ ifconfig -g carp carp: carp demote count 0 pacija@nat1:~ $ ifconfig -g pfsync pfsync: carp demote count 0 pacija@nat2:~ $ ifconfig -g carp carp: carp demote count 0 pacija@nat2:~ $ ifconfig -g pfsync pfsync: carp demote count 0 If I reboot nat1, nat2 becomes master until nat1 reboots. After that, it correctly hands master role to nat1. But in some situations (I don't know what triggers them, hence to me their reason is "unknown" to me - both firewalls are in same rack, switch, UPS etc.), nat1 hands master role to nat2 and waits for days in backup role. I didn't look the value of demote count for pfsync in this situation, but as for carp, they are 1 on nat1 (preferred master), and 0 on nat2 (preferred backup). Is carp increasing demote counter on preferred master for some reason? How can I make them normalize automatically? Regards, -- Marko Cupać https://www.mimar.rs/
