On 2008-04-14, openbsd firewall <[EMAIL PROTECTED]> wrote: > Some news about this... If I change vhid on the backup node this problem > doesn't occurs since the ARP for the master node is still in cache and > backup node now has a different mac address for the carp interfaces. Of > course changing vhid and IP doesn't give any trouble at all. > It seems the backup node is messing with arp (maybe at switch level ???) > when it's coming back! > All switches are CISCO 2900 and 3500. Is there any recommend configuration > for these switches ?
I wonder if this could happen if broken interrupt routing means the backup doesn't see all the carp multicasts coming from the master, so you have multi-master and the firewalls fighting... IME, with H8SSL-i (not i2, but they are fairly similar) the onboard NICs don't co-exist well with some PCI NICs, I disable them (there's a jumper on H8SSL-i)... Also you mentioned unpatched 4.2 and pfsync, it doesn't affect this problem, but you most certainly do want the patch to fix erratum 004 if you run pfsync. Several of the others are worth having too.
