On Sep 26, 2005, at 7:19 PM, Steve Witucke wrote:
What happens when you make one router the master of both carp
groups? I
would assume that the issue mentioned above with pinging 20.1 and
30.1
goes away. Does your traffic stalling issue also go away?
If I, for example, set 20.1 down (ifconfig carp3 down on hobbes)
and the other
interface (30.1 on hobbes) is already in backup, then yes, my
traffic problem
goes away because all the traffic is now being routed through one
box (calvin).
fyi -- I setup a two node HA firewall using obsd/pf/pfsync/carp in a
lab environment. Each fw has 3 physical interfaces and 2 carp
interfaces, one for untrusted and one for trusted. I noticed in my
testing that if I 'ifconfig carp0 down' on the master firewall which
was master for both carp interfaces at the time, that the backup
firewall does _not_ take over for both carp interfaces. Rather each
firewall has a master and backup carp interface, in other words my
firewall is now dead, from a packet routing perspective. Since
neither physical firewall has a full path, each has half of the path,
one can get to the outside and one can get to the inside. :(
This makes sense to me. Since the carp interfaces are virtual they
should never fail, while the physical interfaces they are associated
with could/may fail. If I take down the physical interface
associated with a carp interface, then both (or I guess rather all)
carp interfaces on that box fail to the next available host. I'm also
using net.inet.carp.preempt=1 which is required so that all carp
interfaces on a given physical host fail (advskew = 240) when one
carp interface "fails", i.e. the physical interface associated with
it fails.
Hope this helps,
Chad
