Re: carp iface keeps switching to master

Mon, 12 Mar 2007 21:32:41 -0800 

Joel Knight wrote:

--- Quoting Dag Richards on 2007/03/12 at 18:50 -0700:



Two systems running  4.0 GENERIC#1107 i386 on bge drivers.
They are being used as vpn servers
They are each jacked to their own cisco 2950. The switches are connected with to each other xover cables. Each host can see the others carp traffic, pf is configured to quick pass carp traffic. both system insists on being master. I can ifconfig the desired slave to backup state but after a couple of seconds it pops back to master. 
I am using sasync, the tunnels are all up and traffic flows as expected
though I think that has more to do with pfsync keeping the state tables synced, and the internal interfaces are behaving correctly. 


On the slave, what does 'netstat -sp carp' show for packets received?

hsdcert1:root:/root #netstat -sp carp
carp:
        66020 packets received (IPv4)
        26401 packets received (IPv6)
                0 packets discarded for bad interface
                0 packets discarded for wrong TTL
                0 packets shorter than header
                0 discarded for bad checksums
                0 discarded packets with a bad version
                0 discarded because packet too short
                26384 discarded for bad authentication
                39619 discarded for bad vhid
                0 discarded because of a bad address list
        7552 packets sent (IPv4)
        6745 packets sent (IPv6)
                0 send failed due to mbuf memory error
There are a pair of firewalls in the same network with different passwords and vhid's. So that should explain the bad auth and bad vhid packet counts. 
What do your pf rules look like that are passing carp packets? You're
permitting carp packets on the physical interfaces, correct?

pass out quick log on  { $ext_if $int_if } proto carp
pass in  quick log on  { $ext_if $int_if } proto carp

yes these are the physical devs


I'm quite certain you should not be seeing advertisements on the wire
from both hosts at the same time. The master advertises on a continual
basis. Only during a transition might you see multiple advertisements.
For some reason, your slave box is not seeing the advertisements from
the master.
hmm, yes I get the impression that I am not seeing the intended masters packets from the slave. But the dump told me otherwise. 
I will put both on the same switch, observe/report the results,
then the patch recommended by Stuart, observe/report.


Thanks
Dag





.joel

Reply via email to