Re : CARP problem
Did you check layer 2 connectivity it seems the secondary firewall do not receive any carp pack et Mike Message original Objet : CARP problem De : Jeff à : misc@openbsd.org Cc : I've been using CARP for years and it's always done exactly what I wanted and expected. We recently added a second ISP and another NIC to each of our firewalls. Each firewall now has 3 NIC's and three CARP interfaces. The original two are working fine, but the third CARP interface (carp2) shows up as MASTER on both the primary and failover firewalls. I have verified password, vhid and pf.conf and still can't figure out what I might have done wrong. Both firewalls have net.inet.carp.preempt=1 Here is some output from tcpdump: firewall-master 10:34:01.697488 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:01.975823 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:02.767475 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:03.375808 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:03.837465 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:04.776092 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:04.907466 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:05.977465 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:06.176254 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] firewall-backup 10:34:42.225616 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:42.449469 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:43.295464 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:43.849458 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:44.365459 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:45.249484 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:45.435175 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] Suggestions please? Thanks! --
CARP problem
I've been using CARP for years and it's always done exactly what I wanted and expected. We recently added a second ISP and another NIC to each of our firewalls. Each firewall now has 3 NIC's and three CARP interfaces. The original two are working fine, but the third CARP interface (carp2) shows up as MASTER on both the primary and failover firewalls. I have verified password, vhid and pf.conf and still can't figure out what I might have done wrong. Both firewalls have net.inet.carp.preempt=1 Here is some output from tcpdump: firewall-master 10:34:01.697488 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:01.975823 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:02.767475 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:03.375808 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:03.837465 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:04.776092 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:04.907466 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:05.977465 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:06.176254 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] firewall-backup 10:34:42.225616 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:42.449469 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:43.295464 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:43.849458 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:44.365459 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] 10:34:45.249484 CARPv2-advertise 36: vhid=10 advbase=1 advskew=99 demote=0 (DF) [tos 0x10] 10:34:45.435175 CARPv2-advertise 36: vhid=10 advbase=1 advskew=15 demote=0 (DF) [tos 0x10] Suggestions please? Thanks! --
Re: Another carp problem.
On 01/06/2011 05:54 PM, Johan Fredin wrote: On 2 jan 2011, at 10:42, Alessandro Baggi wrote: Hi list and happy new year to all. Now, I've solve temporarly this problem using ifstated, and master and backup work fine. For pfsync nic, in past I had used a dedicated nic for pfsync but now cause xl0 for wan, rl0 for lan and rl1 for dmz, I must use rl0 only 3 nic. I've read on OpenBSD FAQ that we can use the same iface, but using IPSec. Best regards For now it's only testing, but in future Hi Alessandro, As you say, it shouldn't be an issue to use a "non-dedicated" NIC for the pfsync/carp traffic. But your issue doesn't really have anything to do with pfsync, since it seems to be purely a carp issue. What does your PF rules look like for the carp traffic? I saw in an earlier post that you pass everything out, but are you also letting the carp traffic in on both nodes? /Johan Hi johan, for this problem I've reduced my pf.conf to: pass in all pass out all on fw1 and fw2 and carp interfaces communicate beetwen them, same with the entire pf rule set. I've tried also to set the slave as master and viceversa, but the problem persists. I've solved this problem with ifstated, and using "macro relevation" when a iface become down, ifstated set advskew to 254 (demoted) and my backup become the master. Then, it seems to be that preempt is not setted up to 1 on master and slave. do you think the same? thanks in advance
Re: Another carp problem.
On 01/02/2011 03:03 AM, Patrick Lamaiziere wrote: Le Fri, 31 Dec 2010 18:09:40 +0100, Alessandro Baggi a icrit : To exclude also pf rules problem, I've tried a rule set as: match...nat-to... pass all but the problem persists. Other Issue? Hmmm Ok, I don't know where is the problem. I've made recently a lot of tests with carp and pfsync without any problem (on 4.8/amd64). IMO it should work (but I don't use the carp peer option). One remark, you should use a dedicated interface for pfsync. In your setup, rl0 is shared by pfsync and carp1. This is a no sense. Best regards and happy new year to all. Hi list and happy new year to all. Now, I've solve temporarly this problem using ifstated, and master and backup work fine. For pfsync nic, in past I had used a dedicated nic for pfsync but now cause xl0 for wan, rl0 for lan and rl1 for dmz, I must use rl0 only 3 nic. I've read on OpenBSD FAQ that we can use the same iface, but using IPSec. Best regards For now it's only testing, but in future
Re: Another carp problem.
Hi , Happy new year to all. I am little bit busy. But, I can help you with below URL . http://www.pantz.org/software/carp/openbsdfirewallfailover.html It may be useful. On Sun, Jan 2, 2011 at 7:33 AM, Patrick Lamaiziere wrote: > Le Fri, 31 Dec 2010 18:09:40 +0100, > Alessandro Baggi a icrit : > > > To exclude also pf rules problem, I've tried a rule set as: > > > > match...nat-to... > > > > pass all > > > > but the problem persists. > > > > Other Issue? > > Hmmm Ok, I don't know where is the problem. > > I've made recently a lot of tests with carp and pfsync without any > problem (on 4.8/amd64). IMO it should work (but I don't use the > carp peer option). > > One remark, you should use a dedicated interface for pfsync. In your > setup, rl0 is shared by pfsync and carp1. This is a no sense. > > Best regards and happy new year to all. > > -- Thank you Indunil Jayasooriya
Re: Another carp problem.
Le Fri, 31 Dec 2010 18:09:40 +0100, Alessandro Baggi a icrit : > To exclude also pf rules problem, I've tried a rule set as: > > match...nat-to... > > pass all > > but the problem persists. > > Other Issue? Hmmm Ok, I don't know where is the problem. I've made recently a lot of tests with carp and pfsync without any problem (on 4.8/amd64). IMO it should work (but I don't use the carp peer option). One remark, you should use a dedicated interface for pfsync. In your setup, rl0 is shared by pfsync and carp1. This is a no sense. Best regards and happy new year to all.
Re: Another carp problem.
On 12/31/2010 05:45 PM, Patrick Lamaiziere wrote: Le Thu, 30 Dec 2010 19:58:21 +0100, Alessandro Baggi a icrit : these are my pf rules for carp and pfsync: pass in quick proto pfsync pass in quick proto carp .. block in all ... And in output? in output I've: pass out all To exclude also pf rules problem, I've tried a rule set as: match...nat-to... pass all but the problem persists. Other Issue? thanks in advance
Re: Another carp problem.
Le Thu, 30 Dec 2010 19:58:21 +0100, Alessandro Baggi a icrit : > these are my pf rules for carp and pfsync: > > pass in quick proto pfsync > pass in quick proto carp > > .. > block in all > ... And in output?
Re: Another carp problem.
On 12/30/2010 08:43 PM, Johan Fredin wrote: > On 30 dec 2010, at 19:58, Alessandro Baggi wrote: > > >> Hi list. I've installed two firewall, 1 master and 1 backup. Trying some >> test to see if carp and pfsync works, I get this issue: fw master works, all >> network connection works, then I disconnect che external interface cable of >> fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, >> carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable >> disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to >> MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and >> each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10 >> seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on. >> > [.. snip ..] > > >> FW1 [MASTER]: net.inet.carp.preempt=1 >> FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1) >> > [.. snip ..] > > >> I don't understand why carp0 carp1 and carp2 switch every 5/10 sec between >> master and backup.some issue? >> >> thanks in advance >> > Afaik, the sysctl value net.inet.carp.preempt should be set to the same value > on both nodes. Are you sure you see the same behavior if you set that value > to 0 on both nodes, or alternatively to 1? > > /Johan > > > Hi Johan. Thanks for the reply, I've already tried to set on each firewall net.inet.carp.preempt=1 and the problem is the same. Now I've tried to set them to 0, and seems to work. My question is, why setting up each firewall net.inet.carp.preempt to 1 it does not work? On OpenBSD faq: net.inet.carp.preempt Allow hosts within a redundancy group that have a better advbase and advskew to preempt the master. In addition, this option also enables failing over a group of interfaces together in the event that one interface goes down. If one physical CARP-enabled interface goes down, CARP will increase the demotion counter, carpdemote, by 1 on interface groups that the carp(4) interface is a member of, in effect causing all group members to fail-over together. net.inet.carp.preempt is 0 (disabled) by default. another issue, but with preempt enabled, removing $ext iface cable, carp0 go in INIT and it must forces carp(0/1/2) to go in backup mode. Why there is not this behaviuor? Disabling preemption, If an interface goes down, the group members go on fail-over together? Another question, it is the same thing set all firewall to 1 and 0? The preempt allow to a fw that was master to become a new time master in front of other backup, if has advbase and advskew will be better of them, but if it is disabled, the master without preempt can't become another time the master without a carpdemote for carp group? This is the difference between 1 and 0? thanks in advance.
Re: Another carp problem.
On 30 dec 2010, at 19:58, Alessandro Baggi wrote: > Hi list. I've installed two firewall, 1 master and 1 backup. Trying some test to see if carp and pfsync works, I get this issue: fw master works, all network connection works, then I disconnect che external interface cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on. [.. snip ..] > FW1 [MASTER]: net.inet.carp.preempt=1 > FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1) [.. snip ..] > I don't understand why carp0 carp1 and carp2 switch every 5/10 sec between master and backup.some issue? > > thanks in advance Afaik, the sysctl value net.inet.carp.preempt should be set to the same value on both nodes. Are you sure you see the same behavior if you set that value to 0 on both nodes, or alternatively to 1? /Johan
Another carp problem.
Hi list. I've installed two firewall, 1 master and 1 backup. Trying some test to see if carp and pfsync works, I get this issue: fw master works, all network connection works, then I disconnect che external interface cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP, on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds, always with cable disconnected, the carp0 of firewall 1 is in INIT, carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1 MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1 BACKUP carp2 BACKUP and so on. Then: State before cable disconnection fw1fw2 carp0: MASTERcarp0: BACKUP carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP State after cable disconnection: fw1fw2 carp0: INITcarp0: MASTER carp1: BACKUPcarp1: MASTER carp2: BACKUPcarp2: MASTER State after 5/10 seconds always with disconnected cable: fw1fw2 carp0: INIT carp0: MASTER carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP after other 5/10 seconds with disconnected cable: fw1fw2 carp0: INITcarp0: MASTER carp1: BACKUPcarp1: MASTER carp2: BACKUPcarp2: MASTER after other 5/10 seconds without cable: fw1fw2 carp0: INIT carp0: MASTER carp1: MASTERcarp1: BACKUP carp2: MASTERcarp2: BACKUP and so on... these are my pf rules for carp and pfsync: pass in quick proto pfsync pass in quick proto carp .. block in all ... FW1 [MASTER]: net.inet.carp.preempt=1 FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1) and this are my ifconfig. IFCONFIG FW1: lo0: flags=8049 mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 xl0: flags=8b43 mtu 1500 lladdr 00:10:5a:2e:0f:9e priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::210:5aff:fe2e:f9e%xl0 prefixlen 64 scopeid 0x1 rl0: flags=8b43 mtu 1500 lladdr 00:1d:0f:c4:0c:1d priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.1.1.5 netmask 0x broadcast 10.1.255.255 inet6 fe80::21d:fff:fec4:c1d%rl0 prefixlen 64 scopeid 0x2 rl1: flags=8b43 mtu 1500 lladdr 00:1d:0f:c4:17:cb priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.2.4 netmask 0xff00 broadcast 172.16.2.255 inet6 fe80::21d:fff:fec4:17cb%rl1 prefixlen 64 scopeid 0x3 enc0: flags=0<> priority: 0 groups: enc status: active pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: rl0 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141 mtu 33200 priority: 0 groups: pflog carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev xl0 vhid 1 advbase 1 advskew 0 carppeer 192.168.1.85 groups: carp status: master inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6 inet 192.168.1.33 netmask 0xff00 broadcast 192.168.1.255 carp1: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:02 priority: 0 carp: MASTER carpdev rl0 vhid 2 advbase 1 advskew 0 carppeer 10.1.1.6 groups: carp status: master inet 10.1.1.1 netmask 0x broadcast 10.1.255.255 inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7 carp2: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:03 priority: 0 carp: MASTER carpdev rl1 vhid 3 advbase 1 advskew 0 carppeer 172.16.2.5 groups: carp status: master inet 172.16.2.1 netmask 0xff00 broadcast 172.16.2.255 inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0x8 IFCONFIG FW2: lo0: flags=8049 mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 xl0: flags=8b43 mtu 1500 lladdr 00:50:04:50:fe:c3 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.85 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::250:4ff:fe50:fec3%xl0 prefixlen 64 scopeid 0x1 rl0: flags=8b43 mtu 1500 lladdr 00:1d:0f:c4:3f:8e priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.1.1.6 netmask 0x broadcast 10.1.255.255 inet6 fe80::21d:fff:fec4:3f8e%rl0 prefixlen 64 scopeid 0x2 rl1: flags=8b43 mtu 1500 lladdr 00:13:46:28:7f:db priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.16.2.5 netmask 0xff
Re: CARP problem : slave rioting
Hello, I found the cause of the problem : the CARP interface vas configured with a /24 mask on the master, and a /25 mask on the slaves. With coherent masks everything works like a charm now. -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyi : lundi 29 juin 2009 10:12 @ : 'uday' Cc : misc@openbsd.org Objet : RE: CARP problem : slave rioting Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description "DMZ Internet" # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description "DMZ Internet" They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. >From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierre wrote: > Hello, > > CARP is configured using a script. Here it is (truncated version) : > > ifconfig carp5 create > ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description "LAN" > > ifconfig carp2 create > ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description "DMZ 1" > > ifconfig carp3 create > ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description "DMZ 2" > > ifconfig carp12 create > ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description "DMZ 3" > > > ifconfig carp13 create > ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description "DMZ 5" > > ifconfig carp4 create > ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description "DMZ Internet" > ifconfig carp4 alias 217.109.108.1/24 > > ifconfig carp14 create > ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description "Internet" > > > -- > Cordialement, > Pierre BARDOU > > > -Message d'origine- > De : uday [mailto:umoorjani@gmail.com] > Envoyi : vendredi 26 juin 2009 12:21 > @ : BARDOU Pierre > Cc : misc@openbsd.org > Objet : Re: CARP problem : slave rioting > > Can you post configuration files for the carp interfaces ? > > "Nonviolence means avoiding not only external physical violence but > also internal violence of spirit. You not only refuse to shoot a man, > but you refuse to hate him". Rev. Martin Luther King Jr. > > > > On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre wrote: >> Hello, >> >> I have a setup with 2 openBSD boxes used as firewall, redundancy is made using >> CARP. >> Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a >> trunk, collecting all other VLANs. >> Master's advskew is 10, slave's is 50. >> All worked like a charm since nearly 2 years, but since 3 weeks I have odd >> problems : >> * on the net interface, the backup becomes master, but the master remains >> master -> Nearly half of the packets are lost >> I did a tcpdump on the slave's interface, carp packets from the master arrive. >> But it remains master ! >> Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] >> Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] &g
Re: CARP problem : slave rioting
Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description "DMZ Internet" # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description "Internet" 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description "DMZ Internet" They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. >From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierre wrote: > Hello, > > CARP is configured using a script. Here it is (truncated version) : > > ifconfig carp5 create > ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description "LAN" > > ifconfig carp2 create > ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description "DMZ 1" > > ifconfig carp3 create > ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description "DMZ 2" > > ifconfig carp12 create > ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description "DMZ 3" > > > ifconfig carp13 create > ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description "DMZ 5" > > ifconfig carp4 create > ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description "DMZ Internet" > ifconfig carp4 alias 217.109.108.1/24 > > ifconfig carp14 create > ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description "Internet" > > > -- > Cordialement, > Pierre BARDOU > > > -Message d'origine- > De : uday [mailto:umoorjani@gmail.com] > Envoyi : vendredi 26 juin 2009 12:21 > @ : BARDOU Pierre > Cc : misc@openbsd.org > Objet : Re: CARP problem : slave rioting > > Can you post configuration files for the carp interfaces ? > > "Nonviolence means avoiding not only external physical violence but > also internal violence of spirit. You not only refuse to shoot a man, > but you refuse to hate him". Rev. Martin Luther King Jr. > > > > On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre wrote: >> Hello, >> >> I have a setup with 2 openBSD boxes used as firewall, redundancy is made using >> CARP. >> Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a >> trunk, collecting all other VLANs. >> Master's advskew is 10, slave's is 50. >> All worked like a charm since nearly 2 years, but since 3 weeks I have odd >> problems : >> * on the net interface, the backup becomes master, but the master remains >> master -> Nearly half of the packets are lost >> I did a tcpdump on the slave's interface, carp packets from the master arrive. >> But it remains master ! >> Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] >> Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] >> >> * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it >> is part of a trunk, physical connections are good : they work for all other >> VLANs. When I shut down the corresponding carp interface on the slave >> (ifconfig carp4 down), master becomes master again. >> >> Could you give me any clue to keep my master in master state ? >> >> Thank you >> >> -- >> Cordialement, >> >> Pierre BARDOU >> CSIM - Bureau 012 >> >> Midi Picardie Informatique Hospitalihre >> 12 rue Michel Labrousse >> BP93668 >> F-31036 Toulouse CEDEX 1 >> >> Til : 05 67 31 90 84 >> Fax : 05 34 61 51 00 >> Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. >From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierre wrote: > Hello, > > CARP is configured using a script. Here it is (truncated version) : > > ifconfig carp5 create > ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description "LAN" > > ifconfig carp2 create > ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description "DMZ 1" > > ifconfig carp3 create > ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description "DMZ 2" > > ifconfig carp12 create > ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description "DMZ 3" > > > ifconfig carp13 create > ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description "DMZ 5" > > ifconfig carp4 create > ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description "DMZ Internet" > ifconfig carp4 alias 217.109.108.1/24 > > ifconfig carp14 create > ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description "Internet" > > > -- > Cordialement, > Pierre BARDOU > > > -Message d'origine- > De : uday [mailto:umoorjani@gmail.com] > Envoyi : vendredi 26 juin 2009 12:21 > @ : BARDOU Pierre > Cc : misc@openbsd.org > Objet : Re: CARP problem : slave rioting > > Can you post configuration files for the carp interfaces ? > > "Nonviolence means avoiding not only external physical violence but > also internal violence of spirit. You not only refuse to shoot a man, > but you refuse to hate him". Rev. Martin Luther King Jr. > > > > On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre wrote: >> Hello, >> >> I have a setup with 2 openBSD boxes used as firewall, redundancy is made using >> CARP. >> Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a >> trunk, collecting all other VLANs. >> Master's advskew is 10, slave's is 50. >> All worked like a charm since nearly 2 years, but since 3 weeks I have odd >> problems : >> * on the net interface, the backup becomes master, but the master remains >> master -> Nearly half of the packets are lost >> I did a tcpdump on the slave's interface, carp packets from the master arrive. >> But it remains master ! >> Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] >> Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: >> CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] >> >> * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it >> is part of a trunk, physical connections are good : they work for all other >> VLANs. When I shut down the corresponding carp interface on the slave >> (ifconfig carp4 down), master becomes master again. >> >> Could you give me any clue to keep my master in master state ? >> >> Thank you >> >> -- >> Cordialement, >> >> Pierre BARDOU >> CSIM - Bureau 012 >> >> Midi Picardie Informatique Hospitalihre >> 12 rue Michel Labrousse >> BP93668 >> F-31036 Toulouse CEDEX 1 >> >> Til : 05 67 31 90 84 >> Fax : 05 34 61 51 00 >> Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description "LAN" ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description "DMZ 1" ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description "DMZ 2" ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description "DMZ 3" ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description "DMZ 5" ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description "DMZ Internet" ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description "Internet" -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre wrote: > Hello, > > I have a setup with 2 openBSD boxes used as firewall, redundancy is made using > CARP. > Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a > trunk, collecting all other VLANs. > Master's advskew is 10, slave's is 50. > All worked like a charm since nearly 2 years, but since 3 weeks I have odd > problems : > * on the net interface, the backup becomes master, but the master remains > master -> Nearly half of the packets are lost > I did a tcpdump on the slave's interface, carp packets from the master arrive. > But it remains master ! > Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: > CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] > Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: > CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] > > * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it > is part of a trunk, physical connections are good : they work for all other > VLANs. When I shut down the corresponding carp interface on the slave > (ifconfig carp4 down), master becomes master again. > > Could you give me any clue to keep my master in master state ? > > Thank you > > -- > Cordialement, > > Pierre BARDOU > CSIM - Bureau 012 > > Midi Picardie Informatique Hospitalihre > 12 rue Michel Labrousse > BP93668 > F-31036 Toulouse CEDEX 1 > > Til : 05 67 31 90 84 > Fax : 05 34 61 51 00 > Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Can you post configuration files for the carp interfaces ? "Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him". Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierre wrote: > Hello, > > I have a setup with 2 openBSD boxes used as firewall, redundancy is made using > CARP. > Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a > trunk, collecting all other VLANs. > Master's advskew is 10, slave's is 50. > All worked like a charm since nearly 2 years, but since 3 weeks I have odd > problems : > * on the net interface, the backup becomes master, but the master remains > master -> Nearly half of the packets are lost > I did a tcpdump on the slave's interface, carp packets from the master arrive. > But it remains master ! > Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: > CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] > Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: > CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] > > * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it > is part of a trunk, physical connections are good : they work for all other > VLANs. When I shut down the corresponding carp interface on the slave > (ifconfig carp4 down), master becomes master again. > > Could you give me any clue to keep my master in master state ? > > Thank you > > -- > Cordialement, > > Pierre BARDOU > CSIM - Bureau 012 > > Midi Picardie Informatique Hospitalihre > 12 rue Michel Labrousse > BP93668 > F-31036 Toulouse CEDEX 1 > > Til : 05 67 31 90 84 > Fax : 05 34 61 51 00 > Mail : bardo...@mipih.fr
CARP problem : slave rioting
Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master -> Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: Carp problem on Realtek 8169SC" rev 0x10: RTL8169/8110SCd
On 2008-06-19, Benjamin Jeeves <[EMAIL PROTECTED]> wrote: > I am new to OpenBSD and have two boxes with the same hardware running 4.2 as > the dmesg below. Multicast is broken on multiple OS with this revision of re(4). > I have tried looking on the web but only fine > ref to NetBSD not OpenBSD. Did you find a fix for it for NetBSD? afaik the best information we have at the moment is that it's fixed by one of hundreds of lines of undocumented changes to the most recent vendor FreeBSD driver (it's "open source", but if you were looking for an example of why we ask for data sheets and errata listings rather than completed drivers, you couldn't do much better than this).
Re: Carp problem on Realtek 8169SC" rev 0x10: RTL8169/8110SCd
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=5787 _ http://clk.atdmt.com/UKM/go/msnnkmgl001002ukm/direct/01/
Carp problem on Realtek 8169SC" rev 0x10: RTL8169/8110SCd
Hi All I am new to OpenBSD and have two boxes with the same hardware running 4.2 as the dmesg below. I have setup and tested carp on the re0, re1, and re2 network card but it does not work. I have watched the traffic with tcpdump and do not see any of the 224.0.0.18 traffic from the second boxes. This makes me think that the re driver or card has a problem with 224.0.0.18 traffic .e.g multicast traffic I was looking for some help on this and any info or patch would be good. I have tried looking on the web but only fine ref to NetBSD not OpenBSD. Sorry if this is the wrong place to sent this. Carp works on the vr0 interface. Thank you Ben # ifconfig lo0: flags=8049 mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 re0: flags=8843 mtu 1500 lladdr 00:30:18:a3:e2:97 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.252 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::230:18ff:fea3:e297%re0 prefixlen 64 scopeid 0x1 re1: flags=8943 mtu 1500 lladdr 00:30:18:a3:e2:98 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.22.11.252 netmask 0xff00 broadcast 172.22.11.255 inet6 fe80::230:18ff:fea3:e298%re1 prefixlen 64 scopeid 0x2 re2: flags=8843 mtu 1500 lladdr 00:30:18:a3:e2:99 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.22.12.252 netmask 0xff00 broadcast 172.22.12.255 inet6 fe80::230:18ff:fea3:e299%re2 prefixlen 64 scopeid 0x3 vr0: flags=8802 mtu 1500 lladdr 00:30:18:a1:05:87 media: Ethernet autoselect (100baseTX full-duplex) status: active enc0: flags=0<> mtu 1536 carp1: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:32 carp: MASTER carpdev re1 vhid 50 advbase 1 advskew 0 groups: carp inet 172.22.11.1 netmask 0x broadcast 255.255.255.0 inet6 fe80::200:5eff:fe00:132%carp1 prefixlen 64 scopeid 0x7 # OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA C7-D Processor 1500MHz ("CentaurHauls" 686-class) 1.51 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FX SR,SSE,SSE2,TM,SBF,SSE3,xTPR cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 468152320 (446MB) avail mem = 97920 (423MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/30/07, BIOS32 rev. 0 @ 0xfa130, SMBIOS rev. 2.3 @ 0xf (34 entries) bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 11/30/2007 apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xc964 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc890/208 (11 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 11 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8237 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA CN700 Host" rev 0x00 agp0 at pchb0: v3, aperture at 0xe800, size 0x1000 pchb1 at pci0 dev 0 function 1 "VIA CN700 Host" rev 0x00 pchb2 at pci0 dev 0 function 2 "VIA CN700 Host" rev 0x00 pchb3 at pci0 dev 0 function 3 "VIA PT890 Host" rev 0x00 pchb4 at pci0 dev 0 function 4 "VIA CN700 Host" rev 0x00 pchb5 at pci0 dev 0 function 7 "VIA CN700 Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA S3 Unichrome PRO IGP" rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) re0 at pci0 dev 9 function 0 "Realtek 8169SC" rev 0x10: RTL8169/8110SCd (0x1800), irq 11, address 00:30:18:a3:e2:97 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 "VIA VT6306 FireWire" rev 0x80 at pci0 dev 10 function 0 not configured re1 at pci0 dev 11 function 0 "Realtek 8169SC" rev 0x10: RTL8169/8110SCd (0x1800), irq 5, address 00:30:18:a3:e2:98 rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2 re2 at pci0 dev 12 function 0 "Realtek 8169SC" rev 0x10: RTL8169/8110SCd (0x1800), irq 10, address 00:30:18:a3:e2:99 rgephy2 at re2 phy 7: RTL8169S/8110S PHY, rev. 2 pciide0 at pci0 dev 15 function 0 "VIA VT6420 SATA" rev 0x80: DMA pciide0: using irq 11 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility pciide1: channel 0 disabled (no drives) pciide1: chann
Re: CARP problem
Marco Pfatschbacher wrote: On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. the most common reason for "incorrect hash" messages is that your configuration isn't in sync. That includes all IP addresses and the password. Seems like that's the case in your setup: carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 vs. carp0: flags=8802 mtu 1500 lladdr 00:00:5e:00:01:0a carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 dunno where you got 134.102.176.202 from, though... hostname.carp0: inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev vlan0 advskew 100 state backup You shouldn't use "state backup" here. The higher advskew is sufficient. "state" is only needed for manual intervention. Have removed "state backup", and it is still working. Also fixed my hostname.carp0. Thanks for your help --Heinrich
Re: CARP problem
On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: > > Googling showed up quite a few posts of people having problems with CARP > and the "incorrect hash" message, but none really helped me. the most common reason for "incorrect hash" messages is that your configuration isn't in sync. That includes all IP addresses and the password. Seems like that's the case in your setup: > carp0: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 > inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 vs. > carp0: flags=8802 mtu 1500 > lladdr 00:00:5e:00:01:0a > carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb > inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 dunno where you got 134.102.176.202 from, though... > hostname.carp0: > inet 134.102.176.250 255.255.255.0 134.102.176.255 vhid 10 pass xxx10 carpdev > vlan0 advskew 100 state backup > You shouldn't use "state backup" here. The higher advskew is sufficient. "state" is only needed for manual intervention.
Solved: CARP problem
Heinrich Rebehn wrote: Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. "frw1" is i386, "frw2" is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps -> good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER -> bad. Both machines think they're MASTER on carp0. Since both are complaining about "carp0: incorrect hash" i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? It is really strange: As soon as i have posted the problem to the list, i seem to be able to relax and think better :-) The solution: On frw1: carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xa inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 inet 134.102.176.202 netmask 0xff00 broadcast 134.102.176.255 On frw2: carp0: flags=8802 mtu 1500 lladdr 00:00:5e:00:01:0a carp: INIT carpdev vlan0 vhid 10 advbase 1 advskew 100 groups: carp inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0xb inet 134.102.176.250 netmask 0xff00 broadcast 134.102.176.255 The alias made the difference! On frw1 i had added it /etc/rc.conf.local because i had difficulties defining in in /etc/hostname.carp0. This was missing on frw2! Now it works. Apologies for the noise! --Heinrich
Re: CARP problem
On Tue, Oct 23, 2007 at 11:10:32AM +0200, Heinrich Rebehn wrote: > What happens: > 1. I boot frw1, it becomes MASTER on all carps -> good. > 2. I boot frw2, it becomes BACKUP on all carps except carp0, which > becomes MASTER -> bad. > > Any ideas? Do you have pass quick for carp and pfsync *before* antispoof and block rules, and on *all* carp interfaces? Rui -- Grudnuk demand sustenance! Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
CARP problem
Hi All, i am trying to setup a carp'ed pair of firewalls and am fighting with strange CARP behavior. "frw1" is i386, "frw2" is amd64, but both run i386 OpenBSD 4.2 On each machine i have configured 4 vlans on the sk0 interface. The carp interfaces are configured on top of the vlan interfaces (see attachments). Note: i had to bring down carp0 manually on frw2 to keep it from confusing our network. Therefore it is shown in INIT state. What happens: 1. I boot frw1, it becomes MASTER on all carps -> good. 2. I boot frw2, it becomes BACKUP on all carps except carp0, which becomes MASTER -> bad. Both machines think they're MASTER on carp0. Since both are complaining about "carp0: incorrect hash" i have double checked the passwords on both machines, no diff! I brought carp2 down on frw1 and it immediately failed over to frw2, so CARP in general does work. Since all traffic is running through the same physical device and the problem is only on one carp interface i tend to rule out hardware problems. Googling showed up quite a few posts of people having problems with CARP and the "incorrect hash" message, but none really helped me. [EMAIL PROTECTED] [/etc] # pfctl -sr | grep carp pass quick proto carp all no state [EMAIL PROTECTED] [~] # pfctl -sr | grep carp pass quick proto carp all no state Any ideas? -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.60GHz ("GenuineIntel" 686-class) 2.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1072459776 (1022MB) avail mem = 1029386240 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/12/03, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf04a0 (68 entries) bios0: vendor American Megatrends Inc. version "080009 " date 12/12/2003 bios0: ASUSTeK Computer Inc. P4P800 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5100/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82865G/PE/P CPU-I/0-1" rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel 82865G/PE/P CPU-AGP" rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Rage 128 Pro TF" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 10 uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 5 uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 5 uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: irq 10 ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xc2 pci2 at ppb1 bus 2 skc0 at pci2 dev 5 function 0 "3Com 3c940" rev 0x12, Yukon (0x1): irq 11 sk0 at skc0 port A: address 00:0c:6e:d8:b0:d8 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci2 dev 10 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 11, address 00:04:76:a0:43:bd bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 5 for native-PCI interrupt wd0 at pciide1 channel 1 drive 0: wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: irq 11, ICH5 AC97 ac97: codec id 0x41445375 (Analog Devices AD1985) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2