Re: Odd CARP behavior

2011-05-20 Thread MAROUNI Abbass 

Hello,

We had the same problem a few weeks ago, where one interface on the 
backup machine decides to become master.
This will create an ARP conflict as both machines will respond to the 
ARP request, and that will make it very slow.


The first thing to check is wether the two interfaces see each other, 
are they receiving the CARP messages? do a tcpdump and find out if the 
CARP packets are received

(they will be marked as VRRP in wireshark).
Next check your firewall rules (pf.conf if you are using it) make sure 
that you pass carp packets (add these rules after the global block rule)


After resovling this issue use ifstated that comes with openbsd to force 
MASTER/MASTER interfaces on the machine that becomes MASTER.



Le 20/05/11 00:57, Gary Thornock a icrit :

My previous company has a pair of firewalls running OpenBSD 4.4 with
CARP.  They've been running with no problem since just after the 4.4
release, until the last couple of days.

Now, the firewall that should be in BACKUP state has somehow decided
that it needs to be MASTER for some, but not all, of the CARP interfaces,
even though the master machine is running fine.  Something like this:


if  machine 1   machine 2
carp0   MASTER  BACKUP
carp1   MASTER  BACKUP
carp2   MASTER  MASTER
carp3   MASTER  BACKUP
carp4   MASTER  MASTER


The interfaces where both machines try to be MASTER at the same time
become unreliable or unreachable.

I looked around Google but couldn't turn up any reports of similar
issues.  Admittedly I might have been searching for the wrong terms,
though.

Any ideas as to what could be causing this problem?  They're likely
to rebuild both machines in the next week or so, either with 4.6 (so
they can keep their existing pf.conf) or with 4.9 so as to be current,
but they'd like some assurance that a rebuild will actually solve the
problem.  (If it were, say, a failing NIC, updating the software
wouldn't help.)

For whatever it's worth, the machines in question are Poweredge R200s,
with the two on-board Broadcom gigabit ports and an additional Intel
gigabit card for pfsync.  They're running the i386 rather than the
amd64 version of OpenBSD.

Thanks in advance for any suggestions.




--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org

ifstated

2011-04-22 Thread MAROUNI Abbass 

Hello,

I have some problems with ifstated.

First of all I understood that the main task of the default config file 
for ifstated (/etc/ifstated.conf) is to prevent the MASTER/BACKUP 
situation, and to force the MASTER/MASTER if a carp interface fails on 
the master firewall that uses carp.


The problem is that the defualt config file doesn't seem to work :s (of 
course after changing the ip addresses)


The backup firewall keeps oscillating between the backup and promoted 
states.


has anyone managed to get this thing to work??

Any ideas why ??

We used the default config file, only changing the ip addresses in net 
and peer definitions.


Thanks.

--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org

CARP compatibility

2011-04-19 Thread MAROUNI Abbass 

Hello,

We have two openBSD installation a 4.6 and 4.8

we setup CARP between the two machines, but things are not working properly.

On the internal side of the network we have this (ifconfig -A):

Router 1
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 100
groups: carp

Router 2
carp0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: INIT carpdev em1 vhid 1 advbase 1 advskew 0
groups: carp

while on the external side we have :

Router 1
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 100
groups: carp

Router 2
carp1: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:00:00:00:00
priority: 0
carp: INIT carpdev none vhid 2 advbase 1 advskew 0
groups: carp


We turned off carp0.

As you can see things are messed up.

Does that have something to do with different openBSD versions??

Does anyone had the same issues, as the interface that is meant to be 
BACKUP is the MASTER.


Thanks.

--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org

CARP

2011-04-04 Thread MAROUNI Abbass 

Hello,

We have an OpenBSD firewall and we are planning to use CARP to add 
redundancy.

I have a question :
The firewall is a production firewall so we can't take it out of 
production for a long time.


I read somewhere that the following is possible :

Use the current IP address of the main firewall as the virtual IP 
address of the redundancy group ?


In this case all I need to do is to install new firewall and setup the 
pf rules and other interfaces and finally use the production firewall's 
IP address as the virtual one so to avoid losing connectivity


has anyone tried this before ?
Any notes or precautions ?

Thanks

--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org