Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover
Steve Yates wrote on Wed, Mar 25 2015 at 1:22 pm: > In my other thread, diagnosing why failback only moved back the WAN > IPs, if the physical host had its network restarted underneath my router VM. Sorry, had that backwards FWIW; it only moved back the LAN. Again, not a normal situation but I had added IPv6 settings and shortcutted a full restart, then chased this issue when I lost access to my testbed despite having two routers running. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover
Chris L wrote on Wed, Mar 25 2015 at 2:43 am: > Since nobody else has chimed in are you sure CARP setting changes are > supposed to be synced? > > It makes sense that when a primary syncs to a new secondary, or a new VIP is > created on the Master, defaults are chosen on the secondary to ensure it > comes up as Backup. > > After that happens, I don’t think I want changes to CARP settings to be > synced. I have "Synchronize Virtual IPs" checked which says "this system will automatically sync the CARP Virtual IPs to the other HA host when changes are made." I assume that's the setting? I could see an argument for not syncing, and that had occurred to me, but the option is there. > What are you doing messing around with base and skew anyway? In my other thread, diagnosing why failback only moved back the WAN IPs, if the physical host had its network restarted underneath my router VM. Using 1 instead of 0 I thought was a suggestion. Per the docs it shouldn't matter, the lowest is used. I agree, not a normal situation to edit skew, but if someone does ever change that I think it should not break the CARP configuration on router2. I'm a fan of trying to make things as idiot proof as possible [note: not possible. -Ed.] such as not showing a field for Remote System Username for syncing, if it will ignore that and use something else. Simply saving the CARP virtual IP on router1, without changing skew, does not break that CARP IP on router2. To replicate should be pretty easy if someone has CARP set up...open the CARP alias on router1, change skew from 0 to 1, save, and check the Status/CARP page on router2 to see if it still says Backup or is blank. (to reiterate the fix, open the CARP IP on router2, change nothing and click Save) -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP sync of skew results in blank Status on backup router, breaking failover
> On Mar 24, 2015, at 9:47 AM, Steve Yates wrote: > > I'm going to start a new thread since I think this is a different issue. > > I have a rule to allow all IPv4 from PFSYNC net to PFSYNC net. That > network is on a VLAN with only those two interfaces on it. > > The failover and fail back works fine on all five CARP > interfaces/aliases if router1 is shut down, it enters CARP maintenance mode, > etc. > > I think this is a bug that if the CARP skew setting syncs, something > happens to the backup so it has a blank Status and no longer considers itself > the Backup for that interface, and therefore failover does not happen. > (enabling CARP maintenance mode on router1 sets only the other four > interfaces to Backup status and the broken one remains Master). > > Interesting to note, the breakage happens immediately upon editing the > router1 skew, before Apply Changes are clicked on router1. And, when > router2's CARP alias is in that state, setting the skew on router1 back to 0 > does not sync over to router2; its skew stays at 101. It's as if the link is > broken. > Since nobody else has chimed in are you sure CARP setting changes are supposed to be synced? It makes sense that when a primary syncs to a new secondary, or a new VIP is created on the Master, defaults are chosen on the secondary to ensure it comes up as Backup. After that happens, I don’t think I want changes to CARP settings to be synced. What are you doing messing around with base and skew anyway? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] CARP sync of skew results in blank Status on backup router, breaking failover
I'm going to start a new thread since I think this is a different issue. I have a rule to allow all IPv4 from PFSYNC net to PFSYNC net. That network is on a VLAN with only those two interfaces on it. The failover and fail back works fine on all five CARP interfaces/aliases if router1 is shut down, it enters CARP maintenance mode, etc. I think this is a bug that if the CARP skew setting syncs, something happens to the backup so it has a blank Status and no longer considers itself the Backup for that interface, and therefore failover does not happen. (enabling CARP maintenance mode on router1 sets only the other four interfaces to Backup status and the broken one remains Master). Interesting to note, the breakage happens immediately upon editing the router1 skew, before Apply Changes are clicked on router1. And, when router2's CARP alias is in that state, setting the skew on router1 back to 0 does not sync over to router2; its skew stays at 101. It's as if the link is broken. -- Steve Yates ITS, Inc. ED Fochler wrote on Tue, Mar 24 2015 at 9:55 am: > Steve, > I have explicit multicast, network to network, and proto PFSYNC allow > rules on my dedicated CARP interface, which MAY be unnecessary. And I > remember the skew number being very picky, working correctly only in the 0 & > 100 setting. At some point my CARP interfaces stopped getting out of sync, so > I stopped troubleshooting. > > I do have 1 IP dedicated to each device + the CARP IP on each subnet and a > dedicated direct cable between routers for CARP & sync traffic. My hardware > is real, not virtual, so I hope that isn't what's hurting you. Good luck. > > ED. > >> On 2015, Mar 24, at 12:40 AM, Steve Yates wrote: >> >> I am not sure this is related but it is weird/bad...I got around to >> setting > the skew back to 0 for all CARP IPs on router1. pfSense (2.2.1) syncs the > change to router2 so those skews change from 101 to 100. However > afterwards router1 shows all five as Status of Master, and router2 shows all > five with a blank Status. I must edit each of the five, save (without making > changes) and only once changes are Applied the Status shows as Backup. That > sounds like a configuration sync bug? I did see this when setting the skew > from > 0 to 1 earlier today and passed it off as I was clicking around a lot, but it > seems > to be repeatable. >> >> -- >> Steve ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
