Does that work?
"man carp" says:
--snip--
EXAMPLES
For firewalls and routers with multiple interfaces, it is desirable to
failover all of the carp interfaces together, when one of the physical
interfaces goes down. This is achieved by the preempt option. Enable it
on both host A and B:
--snip--
and
--snip--
Because of the preempt option, when one of the physical interfaces of
host A fails, advskew is adjusted to 240 on all its carp interfaces.
This will cause host B to preempt on both interfaces instead of just the
failed one.
--snip--
Nothing mentioned of one nic on *each* fw!
Everything seems fine if just one or more interfaces goes down on ONE server.
If a switch goes down and causes let's say DMZ3 to go down. This means both
firewalls will change it's skew to 240 caused by no link on both firewalls
nic:s for dmz3. This seems to *mostly* work and doesn't break anything else.
But if you reboot one of the firewalls one or a couple of times you can see
that a random network (let's say dmz4) sometimes can switch carp
master/backup with each other. When this happens, all other masters and
backups seems to be on the correct server. This wrong carp master/backup
(dmz4) automatically goes back to the correct state if destroy the carp
interfaces for my mentioned dmz3 that is down or put in a new switch. All
other carp master/backups wont change state (as it should be).
And I have the carp patch from dec 26 as I have checked out and patched 3.8
stable from jan 29 2006.
The patch in question...
--snip--
Completly remove transition path INIT -> MASTER.
A bug introduced in -r 1.4 led lower priotorized hosts
switching to MASTER state for a short time at bootup,
if preemption was enabled.
--snip--
Could it be as you say a race condition? If so... Isn't that a bug? Or is it
just wrong thinking of me? Is it maybe better to always have preempt only set
on one fw? There is something called "virtual carp groups". All my carp
groups (ifconfig -a) says "carp". Maybe that means that all my carps are in
the same group which I don't understand the purpose of. Can playing with carp
groups change behavior of what we are discussing?
Sorry for not really getting it all...
Tnx
/Per-Olov
On Thursday 02 February 2006 19.02, Steven S wrote:
> Right. When preempt is set any carp interface which has a real interface
> down causes all carps to use 240 for the skew. At this point I think it is
> simply a race to see which interface takes MASTER. That is why I used
> preempt on only one FW. This insures that, in a situation like the one
> described, only one FW is MASTER (the backup in this case)
>
> -Steve S.
>
> Per-Olov Sjöholm wrote:
> > I had dmz4-dmz6 100% configured but no cables connected to the
> > switch. The carp interfaces for them were in "init" state as they
> > could not talk to each other. Although it all seemed to work as it
> > should for all other interfaces. This means all carp masters on the
> > primary server and all carp backups on the secondary server.
> >
> > But during a reboot of any of the firewalls or sometimes in random
> > one carp could change to backup and the other to master. But not on
> > all interfaces! I do not understand why not all networks with carp
> > were infected. Strange.... But as soon as did a "ifconfig carpNN
> > destroy" on both servers for the not connected interfaces the faulty
> > carp flipped back.
> >
> > So it seems everything have to be connected for 100% correct
> > function. I would very much appreciate if somebody could tell me why
> > not all carp interfaces flipped over?
--
GPG keyID: 4DB2 83CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE
