Re: CARP health check ?

Thu, 12 Jan 2012 20:17:38 -0800 

sounds nice.

I came to somewhat similar. Just ssh to external address and ping both carp
peers (via internal addresses), if there're less than 2 answers, we are in
trouble.

your idea is also good.

2012/1/13 Nick Holland <n...@holland-consulting.net>

> ok, let's try this idea...
>
> Your systems have ONE external address, but they can have as many
> internal addresses as desired, right?
>
> SO...let's say you have two CARP'd firewalls, FW1 and FW2.  They share
> external address of x.x.x.x.
>
>                  FW1:       FW2:
> External        x.x.x.x    x.x.x.x   (same)
> Internal real   10.0.0.2   10.0.0.3
> internal CARP   10.0.0.1   10.0.0.1  (same)
>
> port 22 gets you ssh on the active firewall...but which is that?
>
> How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and
> port 2203 to 10.0.0.3?  Now you can find out anything you wish about
> either box ON DEMAND by selecting the port you ssh to?  If 2202 doesn't
> answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2
>
> In addition to checking to see that the box is up, it's good to check
> for a sane CARP status -- i.e., all "MASTER" on one box, "SLAVE" on the
> other, plus other overall health issues.
>
> Nick.
>
> On 01/12/12 13:48, iLXQ {IPICIN wrote:
> > well, it's usually not possible.
> > we use OpenBSD, because it supports "carpdev" option (FreeBSD does not
> > support it)
> >
> > most of our carp clusters run on single address. no spare IP space.
> >
> > we could do ssh and ping carp peer (some trouble with preemption), but we
> > do not want to stick with certain IP addresses. we would like to monitor
> > "in general"
> >
> > 1) define new carp cluster for monitoring
> > 2) ssh to it and monitorcarp peer in general without specifying it's
> address
> >
> > 2012/1/13 Simon Perreault <simon.perrea...@viagenie.ca>
> >
> >> On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:
> >>
> >>> we are using nagios for monitoring and it is running on separate
> server.
> >>> we
> >>> do not want to monitor server from inside.
> >>> we want to run run something via ssh and see whether carp peer is dead
> or
> >>> not.
> >>>
> >>
> >> Give each server it's unique IP address.
> >> Use a third IP address for carp.
> >> Monitor all three addresses.
> >>
> >> Simon
> >> --
> >> DTN made easy, lean, and smart --> http://postellation.viagenie.**ca<
> http://postellation.viagenie.ca>
> >> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> >> STUN/TURN server               --> http://numb.viagenie.ca

Reply via email to