Adam D. Morley wrote: ... > Have you checked: > > - carp settings in sysctl? > - carp pass rules (and ordering) in pf.conf (if you have default > deny)? > - that you have advskew set "right" on the backup firewall? > > # grep carp /etc/sysctl.conf > net.inet.carp.allow=1 # allow incoming CARP packets > net.inet.carp.preempt=1 # failover all CARP > interfaces if one fails > > # grep carp /etc/pf.conf > pass quick on $ext_ints proto carp keep state > pass on $int_phys proto carp keep state > pass on $int_vlan proto carp keep state > > # cat /etc/hostname.carp1 > vhid 1 advskew 100 pass XXXX > inet XXX 0xffffff00
Thanks, this is helpful. The settings on the FW's are as above. An incorrect setting (above) would seem to make it not work -- as opposed to what I'm seeing. Sometimes FW2 takes over as MASTER for some interfaces, but FW1 never moves to BACKUP. I do have net.inet.carp.preempt=1 set on FW1, but not FW2. As another experiment I moved advbase on FW2 to '2' for all carps, but the mysterious BACKUP-->MASTER transition still occurred on FW2 (in thinking back, I did this with a reboot of FW2, which re-started ntpd.) Perhaps I'll try again and not starting ntpd. -Steve S.
