After these threads it's now much more clearer to me. I think I now have the same view of it as you (I hope): Two firewalls boot with preempt set to 1. FWA with all carp masters, and FWB with all carp backups (advskew 100). If the dmz3 switch is without power both FWA and FWB changes advskew to 240. As both have the same advskew value of 240 we should be fine here and FWA should hopefully hold all carp masters and FWB all carp backups as before (is this correct?). Correct or not, it seems to be so for me in 99% of all situations. But sometimes a random network just change master/backup so the FWA holds all masters except one, and FWB holds all backups except one that it's master for. A "ifconfig destroy" of the FWA and FWB carps for dmz3 makes the other random changed carp to go back to it's normal state (and advskew goes back as well).
It smells like a random race condition problem that occurs only with interfaces down on both firewalls and a possible bug. I will look more into your workaround. In this above case you would have set preempt on FWA only, right? B t w, do you know if this is know by anyone else? /Per-Olov On Thursday 02 February 2006 23.04, Steven S wrote: > As I understand it, preempt is all or nothing. So if I have FW's configured > like, > > ISP switch > / \ > > FW1-- DMZ --FW2 [That's one DMZ switch] > > | switch | > > \ / > LAN switch > > If I wish FW1 to be primary and FW2 to be secondary I set advskew on FW1 to > be smaller than FW2. If I set preempt on both firewalls and I lose power > to DMZ switch, then both FW1 and FW2 change the advskew to 240. So in this > case which is MASTER? The mentioned carp/INIT bug didn't help here:-) I > dont know the answer as to why. I only know my workaround was to set > preempt on one of the two FW's. So, if I reboot FW2 while it is primary > FW1 will no longer see the carp advertisements and it will take over, even > if it has a downed interface. If I reboot FW1 then FW2 takes over. If FW1 > comes up and the switch is still down, FW2 is still MASTER for all > interfaces. Is it a work around to a possible bug? Maybe. > > -Steve S. > > Per-Olov Sjöholm wrote: > > Does that work? > > > > "man carp" says: > > --snip-- > > EXAMPLES > > For firewalls and routers with multiple interfaces, it > > is desirable to > > failover all of the carp interfaces together, when one > > of the physical > > interfaces goes down. This is achieved by the preempt option. > > Enable it on both host A and B: > > > > --snip-- > > > > and > > > > --snip-- > > Because of the preempt option, when one of the physical interfaces > > of host A fails, advskew is adjusted to 240 on all its carp > > interfaces. This will cause host B to preempt on both interfaces > > instead of just the failed one. > > > > --snip-- > > > > > > Nothing mentioned of one nic on *each* fw! > > > > Everything seems fine if just one or more interfaces goes > > down on ONE server. > > > > > > If a switch goes down and causes let's say DMZ3 to go down. This > > means both firewalls will change it's skew to 240 caused by no link > > on both firewalls nic:s for dmz3. This seems to *mostly* work and > > doesn't break anything else. But if you reboot one of the firewalls > > one or a couple of > > times you can see > > that a random network (let's say dmz4) sometimes can switch carp > > master/backup with each other. When this happens, all other masters > > and backups seems to be on the correct server. This wrong carp > > master/backup (dmz4) automatically goes back to the correct state if > > destroy the carp > > interfaces for my mentioned dmz3 that is down or put in a new switch. > > All other carp master/backups wont change state (as it should be). > > > > And I have the carp patch from dec 26 as I have checked out > > and patched 3.8 > > stable from jan 29 2006. > > The patch in question... > > --snip-- > > Completly remove transition path INIT -> MASTER. > > A bug introduced in -r 1.4 led lower priotorized hosts > > switching to MASTER state for a short time at bootup, > > if preemption was enabled. > > --snip-- > > > > > > Could it be as you say a race condition? If so... Isn't that > > a bug? Or is it > > just wrong thinking of me? Is it maybe better to always have preempt > > only set on one fw? There is something called "virtual carp groups". > > All my carp > > groups (ifconfig -a) says "carp". Maybe that means that all > > my carps are in > > the same group which I don't understand the purpose of. Can playing > > with carp groups change behavior of what we are discussing? > > > > > > Sorry for not really getting it all... > > > > Tnx > > /Per-Olov
