hello, > I noticed in your original email that fw2 had advskews of 10's and > 100's. This suggests that CARP may not be setup the way you think it > is (based on the asvskew 240 in the hostname files).
The difference appear, when I have testing various configurations. Now I have advskew equal on all carp interfaces. > BTW, if carp detects an interface failure it sets it's advskew to 240, > in this case your secondary will still not preempt the primary. I'd > suggest setting your advskew on the secondary a little lower (I > usually put mine at 10 for primary and 100 for secondary). ok, so I have changed my configuration on fw2 with advskew 100. But with no positive results. Still on fw2 I have: # ifconfig -a | grep BACKUP | wc -l 11 # ifconfig -a | grep MASTER | wc -l 37 # ifconfig -a | grep BACKUP carp: BACKUP carpdev em2 vhid 1 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 11 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 19 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 20 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 28 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 29 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 38 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 39 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 46 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 47 advbase 1 advskew 100 But when I have shut down fw1, all of carp interfaces on fw2 changed state to MASTER. So this works well. Unfortunately after fw1 came up, only few interfaces switch to BACKUP state: # ifconfig -a | grep BACKUP | wc -l 11 # ifconfig -a | grep BACKUP carp: BACKUP carpdev em2 vhid 1 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 11 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 19 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 20 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 28 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 29 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 38 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 39 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 46 advbase 1 advskew 100 carp: BACKUP carpdev em0 vhid 47 advbase 1 advskew 100 Yes, I know, that this may looks like I have different carp configurations, but this is not true. I have check it. Today I have replaced realtek cards to Intel PRO/1000GT - only to dedicated pfsync traffic. I have also connect new crossover cable to these. But as before, situation doesn't change. In pf.conf I have enabled debug level to laud. In dmesg I can see: pf: state insert failed: tree_lan_ext lan: SOME_EXTERNAL_ADDR:52528 gwy: SOME_EXTERAL_ADDR:52528 ext: 192.168.0.109:443 (from sync) pf: state insert failed: tree_lan_ext lan: SOME_EXTERNAL_ADDR:52528 gwy: SOME_EXTERNAL_ADDR:52528 ext: 192.168.0.109:443 (from sync) pf: state insert failed: tree_lan_ext lan: 192.168.0.109:443 gwy: MY_CARP_ADDR:443 ext: SOME_EXTERNAL_ADDR:52528 (from sync) pfsync: ignoring stale update (2) id: 43bd58e800000e02 creatorid: 4f514703 pfsync: ignoring stale update (2) id: 43bd58e800000dff creatorid: 4f514703 pfsync: ignoring stale update (2) id: 43bd58e800000dfe creatorid: 4f514703 pfsync: partial stale update (7) id: 43bd58e800000dff creatorid: 4f514703 pfsync: partial stale update (7) id: 43bd58e800000dfe creatorid: 4f514703 I have also, change a little configuration of pfsync interface. I have added syncpeer parameter. fw1: # cat /etc/hostname.pfsync0 up syncpeer 172.16.1.2 syncdev em1 fw2: # cat /etc/hostname.pfsync0 up syncpeer 172.16.1.1 syncdev em1 But this change also don't help. best regards, Krzysztof Gibas.