As I understand it, preempt is all or nothing. So if I have FW's configured like,
ISP switch / \ | | FW1-- DMZ --FW2 [That's one DMZ switch] | switch | \ / LAN switch If I wish FW1 to be primary and FW2 to be secondary I set advskew on FW1 to be smaller than FW2. If I set preempt on both firewalls and I lose power to DMZ switch, then both FW1 and FW2 change the advskew to 240. So in this case which is MASTER? The mentioned carp/INIT bug didn't help here:-) I dont know the answer as to why. I only know my workaround was to set preempt on one of the two FW's. So, if I reboot FW2 while it is primary FW1 will no longer see the carp advertisements and it will take over, even if it has a downed interface. If I reboot FW1 then FW2 takes over. If FW1 comes up and the switch is still down, FW2 is still MASTER for all interfaces. Is it a work around to a possible bug? Maybe. -Steve S. Per-Olov Sjöholm wrote: > Does that work? > > "man carp" says: > --snip-- > EXAMPLES > For firewalls and routers with multiple interfaces, it > is desirable to > failover all of the carp interfaces together, when one > of the physical > interfaces goes down. This is achieved by the preempt option. > Enable it on both host A and B: > > --snip-- > > and > > --snip-- > Because of the preempt option, when one of the physical interfaces > of host A fails, advskew is adjusted to 240 on all its carp > interfaces. This will cause host B to preempt on both interfaces > instead of just the failed one. > > --snip-- > > > Nothing mentioned of one nic on *each* fw! > > Everything seems fine if just one or more interfaces goes > down on ONE server. > > > If a switch goes down and causes let's say DMZ3 to go down. This > means both firewalls will change it's skew to 240 caused by no link > on both firewalls nic:s for dmz3. This seems to *mostly* work and > doesn't break anything else. But if you reboot one of the firewalls > one or a couple of > times you can see > that a random network (let's say dmz4) sometimes can switch carp > master/backup with each other. When this happens, all other masters > and backups seems to be on the correct server. This wrong carp > master/backup (dmz4) automatically goes back to the correct state if > destroy the carp > interfaces for my mentioned dmz3 that is down or put in a new switch. > All other carp master/backups wont change state (as it should be). > > And I have the carp patch from dec 26 as I have checked out > and patched 3.8 > stable from jan 29 2006. > The patch in question... > --snip-- > Completly remove transition path INIT -> MASTER. > A bug introduced in -r 1.4 led lower priotorized hosts > switching to MASTER state for a short time at bootup, > if preemption was enabled. > --snip-- > > > Could it be as you say a race condition? If so... Isn't that > a bug? Or is it > just wrong thinking of me? Is it maybe better to always have preempt > only set on one fw? There is something called "virtual carp groups". > All my carp > groups (ifconfig -a) says "carp". Maybe that means that all > my carps are in > the same group which I don't understand the purpose of. Can playing > with carp groups change behavior of what we are discussing? > > > Sorry for not really getting it all... > > Tnx > /Per-Olov
