problem with multiple carp interfaces not syncing properly

Thu, 28 Jul 2005 10:21:14 -0700

I have a pair of openbsd 3.7-release firewalls that i have setup with pfsync and carp according to Ryan's (and other's) docs. They are in a dummy test environment as follows:
I have 2 carp interfaces carp0 and carp1 on each box, 0 talks to the 'outside' which is a switch, 1 talks to an 'internal' hub. the machines are pfsyncing over a crossover cable. 


I have one machine on the 'inside' network that i am sftping files to  
and from to test the fail-over methods. currently i have been unable  
to keep such a stateful connection (sftp transfer) during a complete  
reboot cycle. i have gotten the following two scenarios fairly close:



#1 both boxes are configured with an advskew of 0 and an advbase of  
1, both have net.inet.carp.preempt=0


   box1 is master on both carp interfaces, box2 is backup
   reboot box1, box2 becomes master

    ** as box 1 goes down, right when box 2 takes over, the  
connection stalls from anywhere from 1 second up to like 30 seconds.  
pinging the box behind the firewalls shows but the sftp transfer  
stalls, and either recovers or never recovers at a somewhat random rate.

   box1 comes back up, as a slave box 2 is still the master



#2 both boxes are configured with advbsse of 1, advskew on box1 is 0,  
and box2 is 100, and net.inet.carp.preempt=1


   box1 is master on both carp interfaces, box2 is backup
   reboot box 1, box 2 becomes master
   box 1 comes back up.

   right when box 1 starts advertising over the pfsync interface it  
begins to takeover as master, however it does not do this cleanly.
      it will grab the carp1 interface immediately as master, carp0  
will lag for approx 15 seconds and be backup.



      i assume that the 15 seconds of lag is due to the switch  
lagging on arp handling, i am using a dell powerconnect 24 port  
managed switch with default values for this test.



      according to documentation net.inet.carp.preempt=1 will  
advertise an advskew of 240 if one interface fails... in which case  
it should pass all carp priority to the other box, this is not the  
case, in some tests the master / backup state lasts for several  
minutes, and rarely will stay permenently. shouldn't the above sysctl  
require one box to either have all master or all backup?


please advise!

- mike

 
       













    











					Reply via email to