They should both be backup. Check if you have "keep state (no-sync)" on your carp pf rule. If not add it, and flush the state tables.
Other hints to debug carp setups: - netstat -s -p carp - ifconfig -g carp - sysctl net.inet.carp.log=4 (check /var/log/messages) -- Cam On 18-5-2012 3:38, shadrock wrote: > hi > still looking for an answer to the following question >> hi all >> have configured two firewalls with carp >> i have connectivity to the internet and the firewalls failover properly. >> when i check the carp states of each firewall the slave reports that its >> wan connection is in the master state the same as the master firewall >> while the slave carp lan connection is in the backup state. >> is this normal or should both carps be in backup for the slave ? >> shadrock >> >> >> master firewall >> /etc/hostname.carp1 >> inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 pass pass1 >> >> /etc/hostname.carp2 >> inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 pass >> pass2 >> >> /etc/hostname.em0 >> inet 192.168.5.2 255.255.255.0 >> >> /etc/hostname.em1 >> inet 10.5.5.2 255.255.255.0 NONE >> >> /etc/hostname.bge0 >> inet 172.16.0.2 255.255.255.0 NONE >> >> /etc/hostname.pfsync0 >> up syncdev bge0 >> >> >> ifconfig -a >> >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 >> priority: 0 >> groups: lo >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 >> inet 127.0.0.1 netmask 0xff000000 >> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:18:8b:60:7b:06 >> priority: 0 >> media: Ethernet autoselect (1000baseT >> full-duplex,master,rxpause,txpause) >> status: active >> inet 172.16.0.2 netmask 0xffffff00 broadcast 172.16.0.255 >> inet6 fe80::218:8bff:fe60:7b06%bge0 prefixlen 64 scopeid 0x1 >> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 00:04:23:df:6b:a4 >> priority: 0 >> groups: egress >> media: Ethernet autoselect (100baseTX >> full-duplex,rxpause,txpause) >> status: active >> inet 192.168.5.2 netmask 0xffffff00 broadcast 192.168.5.255 >> inet6 fe80::204:23ff:fedf:6ba4%em0 prefixlen 64 scopeid 0x2 >> em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 00:04:23:df:6b:a5 >> priority: 0 >> media: Ethernet autoselect (1000baseT >> full-duplex,rxpause,txpause) >> status: active >> inet 10.5.5.2 netmask 0xffffff00 broadcast 10.5.5.255 >> inet6 fe80::204:23ff:fedf:6ba5%em1 prefixlen 64 scopeid 0x3 >> enc0: flags=41<UP,RUNNING> >> priority: 0 >> groups: enc >> status: active >> pfsync0: flags=41<UP,RUNNING> mtu 1500 >> priority: 0 >> pfsync: syncdev: bge0 maxupd: 128 defer: off >> groups: carp pfsync >> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 >> priority: 0 >> groups: pflog >> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:00:5e:00:01:01 >> priority: 0 >> carp: MASTER carpdev em1 vhid 1 advbase 1 advskew 0 >> groups: carp >> status: master >> inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 >> inet 10.5.5.1 netmask 0xffffff00 broadcast 10.5.5.255 >> carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:00:5e:00:01:02 >> priority: 0 >> carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 0 >> groups: carp >> status: master >> inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 >> inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255 >> >> >> slave firewall >> >> /etc/hostname.carp1 >> inet 10.5.5.1 255.255.255.0 10.5.5.255 vhid 1 carpdev em1 advskew 100 >> pass pass1 >> >> /etc/hostname.carp2 >> inet 192.168.5.1 255.255.255.0 192.168.5.255 vhid 2 carpdev em0 advskew >> 100 pass pass2 >> >> /etc/hostname.em0 >> inet 192.168.5.3 255.255.255.0 >> >> /etc/hostname.em1 >> inet 10.5.5.3 255.255.255.0 NONE >> >> /etc/hostname.bge0 >> inet 172.16.0.3 255.255.255.0 NONE >> >> /etc/hostname.pfsync0 >> up syncdev bge0 >> >> >> ifconfig -a >> >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196 >> priority: 0 >> groups: lo >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 >> inet 127.0.0.1 netmask 0xff000000 >> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:18:8b:6c:4e:85 >> priority: 0 >> media: Ethernet autoselect (1000baseT >> full-duplex,rxpause,txpause) >> status: active >> inet 172.16.0.3 netmask 0xffffff00 broadcast 172.16.0.255 >> inet6 fe80::218:8bff:fe6c:4e85%bge0 prefixlen 64 scopeid 0x1 >> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 00:04:23:e3:c7:92 >> priority: 0 >> groups: egress >> media: Ethernet autoselect (100baseTX >> full-duplex,rxpause,txpause) >> status: active >> inet 192.168.5.3 netmask 0xffffff00 broadcast 192.168.5.255 >> inet6 fe80::204:23ff:fee3:c792%em0 prefixlen 64 scopeid 0x2 >> em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 00:04:23:e3:c7:93 >> priority: 0 >> media: Ethernet autoselect (1000baseT >> full-duplex,rxpause,txpause) >> status: active >> inet 10.5.5.3 netmask 0xffffff00 broadcast 10.5.5.255 >> inet6 fe80::204:23ff:fee3:c793%em1 prefixlen 64 scopeid 0x3 >> enc0: flags=41<UP,RUNNING> >> priority: 0 >> groups: enc >> status: active >> pfsync0: flags=41<UP,RUNNING> mtu 1500 >> priority: 0 >> pfsync: syncdev: bge0 maxupd: 128 defer: off >> groups: carp pfsync >> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196 >> priority: 0 >> groups: pflog >> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:00:5e:00:01:01 >> priority: 0 >> carp: BACKUP carpdev em1 vhid 1 advbase 1 advskew 100 >> groups: carp >> status: backup >> inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6 >> inet 10.5.5.1 netmask 0xffffff00 broadcast 10.5.5.255 >> carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> lladdr 00:00:5e:00:01:02 >> priority: 0 >> carp: MASTER carpdev em0 vhid 2 advbase 1 advskew 100 >> groups: carp >> status: master >> inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7 >> inet 192.168.5.1 netmask 0xffffff00 broadcast 192.168.5.255
