Re: Odd CARP behavior
Hello, We had the same problem a few weeks ago, where one interface on the backup machine decides to become master. This will create an ARP conflict as both machines will respond to the ARP request, and that will make it very slow. The first thing to check is wether the two interfaces see each other, are they receiving the CARP messages? do a tcpdump and find out if the CARP packets are received (they will be marked as VRRP in wireshark). Next check your firewall rules (pf.conf if you are using it) make sure that you pass carp packets (add these rules after the global block rule) After resovling this issue use ifstated that comes with openbsd to force MASTER/MASTER interfaces on the machine that becomes MASTER. Le 20/05/11 00:57, Gary Thornock a icrit : My previous company has a pair of firewalls running OpenBSD 4.4 with CARP. They've been running with no problem since just after the 4.4 release, until the last couple of days. Now, the firewall that should be in BACKUP state has somehow decided that it needs to be MASTER for some, but not all, of the CARP interfaces, even though the master machine is running fine. Something like this: if machine 1 machine 2 carp0 MASTER BACKUP carp1 MASTER BACKUP carp2 MASTER MASTER carp3 MASTER BACKUP carp4 MASTER MASTER The interfaces where both machines try to be MASTER at the same time become unreliable or unreachable. I looked around Google but couldn't turn up any reports of similar issues. Admittedly I might have been searching for the wrong terms, though. Any ideas as to what could be causing this problem? They're likely to rebuild both machines in the next week or so, either with 4.6 (so they can keep their existing pf.conf) or with 4.9 so as to be current, but they'd like some assurance that a rebuild will actually solve the problem. (If it were, say, a failing NIC, updating the software wouldn't help.) For whatever it's worth, the machines in question are Poweredge R200s, with the two on-board Broadcom gigabit ports and an additional Intel gigabit card for pfsync. They're running the i386 rather than the amd64 version of OpenBSD. Thanks in advance for any suggestions. -- Abbass MAROUNI Internet Memory Foundation internetmemory.org
ifstated
Hello, I have some problems with ifstated. First of all I understood that the main task of the default config file for ifstated (/etc/ifstated.conf) is to prevent the MASTER/BACKUP situation, and to force the MASTER/MASTER if a carp interface fails on the master firewall that uses carp. The problem is that the defualt config file doesn't seem to work :s (of course after changing the ip addresses) The backup firewall keeps oscillating between the backup and promoted states. has anyone managed to get this thing to work?? Any ideas why ?? We used the default config file, only changing the ip addresses in net and peer definitions. Thanks. -- Abbass MAROUNI Internet Memory Foundation internetmemory.org
CARP compatibility
Hello, We have two openBSD installation a 4.6 and 4.8 we setup CARP between the two machines, but things are not working properly. On the internal side of the network we have this (ifconfig -A): Router 1 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 100 groups: carp Router 2 carp0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: INIT carpdev em1 vhid 1 advbase 1 advskew 0 groups: carp while on the external side we have : Router 1 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 100 groups: carp Router 2 carp1: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 carp: INIT carpdev none vhid 2 advbase 1 advskew 0 groups: carp We turned off carp0. As you can see things are messed up. Does that have something to do with different openBSD versions?? Does anyone had the same issues, as the interface that is meant to be BACKUP is the MASTER. Thanks. -- Abbass MAROUNI Internet Memory Foundation internetmemory.org
CARP
Hello, We have an OpenBSD firewall and we are planning to use CARP to add redundancy. I have a question : The firewall is a production firewall so we can't take it out of production for a long time. I read somewhere that the following is possible : Use the current IP address of the main firewall as the virtual IP address of the redundancy group ? In this case all I need to do is to install new firewall and setup the pf rules and other interfaces and finally use the production firewall's IP address as the virtual one so to avoid losing connectivity has anyone tried this before ? Any notes or precautions ? Thanks -- Abbass MAROUNI Internet Memory Foundation internetmemory.org