On 12/30/2010 08:43 PM, Johan Fredin wrote:
> On 30 dec 2010, at 19:58, Alessandro Baggi wrote:
>
>
>> Hi list. I've installed two firewall, 1 master and 1 backup. Trying some
>> test to see if carp and pfsync works, I get this issue: fw master works, all
>> network connection works, then I disconnect che external interface cable of
>> fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2,
>> carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable
>> disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to
>> MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and
>> each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10
>> seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on.
>>
> [.. snip ..]
>
>
>> FW1 [MASTER]: net.inet.carp.preempt=1
>> FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1)
>>
> [.. snip ..]
>
>
>> I don't understand why carp0 carp1 and carp2 switch every 5/10 sec between
>> master and backup.....some issue?
>>
>> thanks in advance
>>
> Afaik, the sysctl value net.inet.carp.preempt should be set to the same value
> on both nodes. Are you sure you see the same behavior if you set that value
> to 0 on both nodes, or alternatively to 1?
>
> /Johan
>
>
>
Hi Johan. Thanks for the reply, I've already tried to set on each
firewall net.inet.carp.preempt=1 and the problem is the same. Now I've
tried to set them to 0, and seems to work. My question is, why setting
up each firewall net.inet.carp.preempt to 1 it does not work?
On OpenBSD faq:
net.inet.carp.preempt
Allow hosts within a redundancy group that have a better advbase and
advskew to preempt the master. In addition, this option also enables
failing over a group of interfaces together in the event that one
interface goes down. If one physical CARP-enabled interface goes
down, CARP will increase the demotion counter, carpdemote, by 1 on
interface groups that the carp(4) interface is a member of, in
effect causing all group members to fail-over together.
net.inet.carp.preempt is 0 (disabled) by default.
another issue, but with preempt enabled, removing $ext iface cable,
carp0 go in INIT and it must forces carp(0/1/2) to go in backup mode.
Why there is not this behaviuor?
Disabling preemption, If an interface goes down, the group members go on
fail-over together?
Another question, it is the same thing set all firewall to 1 and 0? The
preempt allow to a fw that was master to become a new time master in
front of other backup, if has advbase and advskew will be better of
them, but if it is disabled, the master without preempt can't become
another time the master without a carpdemote for carp group? This is the
difference between 1 and 0?
thanks in advance.
