Re: CARP problem : slave rioting
Hello, I found the cause of the problem : the CARP interface vas configured with a /24 mask on the master, and a /25 mask on the slaves. With coherent masks everything works like a charm now. -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyi : lundi 29 juin 2009 10:12 @ : 'uday' Cc : misc@openbsd.org Objet : RE: CARP problem : slave rioting Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1
Re: CARP problem : slave rioting
Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
CARP problem : slave rioting
Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
