Re: carp incorrect hash debugging
On Fri, Nov 04, 2005 at 02:57:35AM +, Ryan McBride wrote: On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote: 1) used to determine that a particular carp packet is intended for you carp host? carp(4) does a number of validity checks before treating the packet a real carp packet: - was the device recieved on a interface that has a carp device on it? - is the ttl 255 (prevents routed carp packets from being accepted) - packet length - crc32 checksum - VHID - Is the carp interface UP and RUNNING? - version - SHA-1 HMAC 2) given that a carp host knows that a particular carp packet is one that it cares about, how does it verify that all of the parameters contained within are legit? It checks the HMAC, which contains the password, version, counter, type, and the addresses. [snip] Great, thank you! If the answer to all this is to just ensure that if I ever have more than one carp pair on the same network to ensure that I have different vhids, Yes, you MUST use a different vhid for different carp clusters on the same link-local network; the MAC address for the carp interface is generated from the vhid, and if you don't keep this unique your switch will likely get confused. Great, this confirms what I learned. I also checked out the pf/carp faq and the description of vhid there adequately describes the purpose of a vhid and makes it fairly clear that different carp clusters on the same network must use different vhids. The carp manpage eludes to this but could perhaps be made more clear. Something along the lines of: To use carp, the administrator needs to configure at minimum a common virtual host ID (vhid) and virtual host IP address on each machine which is to take part in the virtual group. The vhid is used to uniquely identify all members of a virtual group and hosts on the same link-local network must different vhids. does anyone have a vhid numbering scheme that they've found workable? I had been using interface number +1 (so the carp for em0 would be vhid 1, etc). In many situations, I use the last octet of the first virtual IP address. (If your virtual IP is 192.168.0.23, use 23 as your vhid) Genius! Thanks again, -jon
carp incorrect hash debugging
Greetings, We've all probably had or seen the carp error similar to: carp0: incorrect hash In most cases that I've seen on this and other lists it was because of something obvious like a mismatched pass or two supposed carp partners using different vhid's. I've taken a look at the code but wanted to verify. What pieces of information are: 1) used to determine that a particular carp packet is intended for you carp host? 2) given that a carp host knows that a particular carp packet is one that it cares about, how does it verify that all of the parameters contained within are legit? I believe the answer to 1 is the version, type and vhid from the carp packet. 2 I'm not so sure about, but I'm assuming that at least part of this decision is based on the pass. I had a situation earlier today that I could not explain. Put simply, I had hosts A, B, C and D all on the same /24. Hosts A and B where a carp pair for 192.168.0.1 and hosts C and D were a carp pair for 192.168.0.4. If A and B were using the same vhid as C and D, both ends would complain about an incorrect hash. Having never been in that situation before, I figured the vhid's were clashing since the pass happened to be the same on all 4 machines. I destroyed carp0 and did a 'sh /etc/netstart carp0'. I was still getting the messages but they seemed less frequent. I worked on other things which required a reboot and from then on, the messages were gone. The two carp pairs have functioned as expected ever since. Was my fix (prior to rebooting) the correct one? If so, why did I continue to get the incorrect hash messages? Gremlins or operator error? If the answer to all this is to just ensure that if I ever have more than one carp pair on the same network to ensure that I have different vhids, does anyone have a vhid numbering scheme that they've found workable? I had been using interface number +1 (so the carp for em0 would be vhid 1, etc). Any input would be much appreciated! -jon
Re: carp incorrect hash debugging
On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote: 1) used to determine that a particular carp packet is intended for you carp host? carp(4) does a number of validity checks before treating the packet a real carp packet: - was the device recieved on a interface that has a carp device on it? - is the ttl 255 (prevents routed carp packets from being accepted) - packet length - crc32 checksum - VHID - Is the carp interface UP and RUNNING? - version - SHA-1 HMAC 2) given that a carp host knows that a particular carp packet is one that it cares about, how does it verify that all of the parameters contained within are legit? It checks the HMAC, which contains the password, version, counter, type, and the addresses. [snip] If the answer to all this is to just ensure that if I ever have more than one carp pair on the same network to ensure that I have different vhids, Yes, you MUST use a different vhid for different carp clusters on the same link-local network; the MAC address for the carp interface is generated from the vhid, and if you don't keep this unique your switch will likely get confused. does anyone have a vhid numbering scheme that they've found workable? I had been using interface number +1 (so the carp for em0 would be vhid 1, etc). In many situations, I use the last octet of the first virtual IP address. (If your virtual IP is 192.168.0.23, use 23 as your vhid)
