Re: Two carp firewalls keep swapping from master/backup
Are you allowing the carp traffic in and out? This is the more common fuckup I make when configuring them that has this result. make sure the carp and pfsync traffic makes it in and out.
Re: Two carp firewalls keep swapping from master/backup
Dag Richards wrote: Your understanding of preempt seems correct I had a similar issue on a pair of 4.1 FW's. A careful examination revealed that one of the carp ifaces on one system had ip addrs that were missing on the other. Carefully compare ifconfig -aA on each machine to each other. I now slavishly alsoensure that the addrs occur in the same order ... I am sure that has no effect, but there it is. Are you allowing the carp traffic in and out? Does a tcpdump show the expected traffic?. I have checked all those things... ifconfig output (in relation to carp) is identical with the obvious exceptions of BACKUP/MASTER and advskew. One of the first lines in my pf.conf is always pass in quick on foo proto carp keep state... and a look at pflog shows nothing in the carp department is being blocked. It does not happen all the time, just seems to happen when I put some network load on the secondary firewall. I will investigate what Stuart Henderson mentioned. Cheers, Josh
Two carp firewalls keep swapping from master/backup
Hello, A quick question. I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc. The primary has advskew 0, the backup has advskew 100. I have net.inet.carp.preempt=1 on both. So anyway, I was downloading some 4.2 install binaries onto the backup fw, and I noticed that the backup/primary carp interfaces kept on switching between master/backup fairly rapidly ( around every 5 - 10 seconds or so ) despite both hosts being up just fine. Any ideas on what might be causing this? Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I think; I thought that it meant if one carp interface goes down, ie, unplugged or whatever, then the rest go down, ie all other interfaces on the box? Is this right? Thanks, Josh
Re: Two carp firewalls keep swapping from master/backup
On 2007/12/06 10:06, Josh wrote: So anyway, I was downloading some 4.2 install binaries onto the backup fw, and I noticed that the backup/primary carp interfaces kept on switching between master/backup fairly rapidly ( around every 5 - 10 seconds or so ) despite both hosts being up just fine. Any ideas on what might be causing this? If you reconfigured addresses on the interfaces after configuring them, it's most likely to be the problem fixed in r1.135 of http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I think; I thought that it meant if one carp interface goes down, ie, unplugged or whatever, then the rest go down, ie all other interfaces on the box? Is this right? Not always, see http://www.mail-archive.com/misc@openbsd.org/msg34354.html
Re: Two carp firewalls keep swapping from master/backup
Stuart Henderson wrote: On 2007/12/06 11:48, Josh wrote: I will investigate what Stuart Henderson mentioned. If it's that, tcpdump on the parent iface will show proto 112 IPv6 packets every few seconds, and ifconfig carpXX destroy sh /etc/netstart carpXX should clear things out. It does not happen all the time, just seems to happen when I put some network load on the secondary firewall. In that case, also check sysctl net.inet.ip.ifq.drops. If any are present, bump net.inet.ip.ifq.maxlen (256 is a good starting point, used by default in 4.2). Hmmm, sysctl net.inet.ip.ifq.drops net.inet.ip.ifq.drops=7895040 Will make the changes you suggest... But what does net.inet.ip.ifq.drops mean? Thanks, Josh
Re: Two carp firewalls keep swapping from master/backup
Josh wrote: Hello, A quick question. I have a pair of 4.1 boxes acting as firewalls using carp/pfsync etc. The primary has advskew 0, the backup has advskew 100. I have net.inet.carp.preempt=1 on both. So anyway, I was downloading some 4.2 install binaries onto the backup fw, and I noticed that the backup/primary carp interfaces kept on switching between master/backup fairly rapidly ( around every 5 - 10 seconds or so ) despite both hosts being up just fine. Any ideas on what might be causing this? Also, My understanding of net.inet.carp.preempt=1 needs to be adjusted I think; I thought that it meant if one carp interface goes down, ie, unplugged or whatever, then the rest go down, ie all other interfaces on the box? Is this right? Thanks, Josh Your understanding of preempt seems correct I had a similar issue on a pair of 4.1 FW's. A careful examination revealed that one of the carp ifaces on one system had ip addrs that were missing on the other. Carefully compare ifconfig -aA on each machine to each other. I now slavishly alsoensure that the addrs occur in the same order ... I am sure that has no effect, but there it is. Are you allowing the carp traffic in and out? Does a tcpdump show the expected traffic?.
Re: Two carp firewalls keep swapping from master/backup
On 2007/12/06 11:48, Josh wrote: I will investigate what Stuart Henderson mentioned. If it's that, tcpdump on the parent iface will show proto 112 IPv6 packets every few seconds, and ifconfig carpXX destroy sh /etc/netstart carpXX should clear things out. It does not happen all the time, just seems to happen when I put some network load on the secondary firewall. In that case, also check sysctl net.inet.ip.ifq.drops. If any are present, bump net.inet.ip.ifq.maxlen (256 is a good starting point, used by default in 4.2).
