On Fri, Mar 17, 2006 at 03:41:01PM -0500, Steven S wrote: > Adam D. Morley wrote: > > On Fri, Mar 17, 2006 at 02:35:55PM -0500, Steven S wrote: > >> Adam D. Morley wrote: > ... > >> Thanks, this is helpful. The settings on the FW's are as above. An > >> incorrect setting (above) would seem to make it not work -- as > >> opposed to > > > > Ok. But mine works and yours doesn't? > > > >> what I'm seeing. Sometimes FW2 takes over as MASTER for some > >> interfaces, but FW1 never moves to BACKUP. I do have > >> net.inet.carp.preempt=1 set on FW1, but not FW2. > > > > You're supposed to set preempt on both, iirc. > > With both firewalls set to preempt=1 I had a common DMZ switch get shut-off. > Both FW's went to a carp skew of 240. They had a MASTER fight. By setting > one with preempt=1 and the other with preempt=0, I avoid this.
This is likely because one of the firewalls does not have a pass rule for carp packets. I have seen this happen before, especially when adding a new carp interface and not updating ext_ints. > > >> As another experiment I moved advbase on FW2 to '2' for all carps, > >> but the > > > > base is how often. skew is priority. > > Sort of... 'man ifconfig' Says, Sort of, yes, but for the purposes of pre-empted pf-walls, it's a very convinent simplification. > > "Taken together the advbase and advskew indicate how frequently, in seconds, > the host will advertise the fact that it considers itself master of the > virtual host. The formula is advbase + (advskew / 256). If the master does > not advertise within three times this interval, this host will begin > advertising as master." Yes, I have read man ifconfig. ;-) > > So if I set FW1 with 1/0 and FW2 at 2/180, FW1 advertises every one second. > If FW2 hasn't heard a carp advertisement in 2.7*3=8.1 seconds it will take > over. When FW1 returns, it will start advertising once/sec. As noted in my > OP, this doesn't seem to happen on my FW pair. Well, FW1 expects FW2 to advertise as master within 3 seconds, and it's advertising every 2.7 seconds. This is pretty close, though it should be more than enough time. It would be "irrelevant" if one had default master status (preempt on on both), but that's not the case in your setup. Out of curiosity, why are you twiddling advbase? Do you have some high-latency serial lines in there or something? Are you attempting to get longer detection intervals in case fw1 is not actually down, but fw2 thinks it is? If it's the later, then that's not what it's for. Personally, I would keep advbase the same on both hosts and twiddle advskew, set preempt (on both), and see what happens. If something goes wrong, then it's likely a missing pass rule for carp packets. -- adam
